Regular expression injection¶
ID: rb/regexp-injectionKind: path-problemSecurity severity: 7.5Severity: errorPrecision: highTags: - security - external/cwe/cwe-1333 - external/cwe/cwe-730 - external/cwe/cwe-400Query suites: - ruby-code-scanning.qls - ruby-security-extended.qls - ruby-security-and-quality.qls
Click to see the query in the CodeQL repository
Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.
Recommendation¶
Before embedding user input into a regular expression, use a sanitization function such asRegexp.escape to escape meta-characters that have special meaning.
Example¶
The following examples construct regular expressions from an HTTP request parameter without sanitizing it first:
classUsersController<ActionController::Basedeffirst_example# BAD: Unsanitized user input is used to construct a regular expressionregex=/#{params[:key]}/enddefsecond_example# BAD: Unsanitized user input is used to construct a regular expressionregex=Regexp.new(params[:key])endend
Instead, the request parameter should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.
classUsersController<ActionController::Basedefexample# GOOD: User input is sanitized before constructing the regular expressionregex=Regexp.new(Regex.escape(params[:key]))endend
References¶
Wikipedia:ReDoS.
Ruby:Regexp.escape.
Common Weakness Enumeration:CWE-1333.
Common Weakness Enumeration:CWE-730.
Common Weakness Enumeration:CWE-400.