1- <!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" qhelp.dtd"> <qhelp >
1+ <!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" qhelp.dtd">
2+ <qhelp >
3+ <overview >
4+ <p >
5+ Constructing a regular expression with unsanitized user input is dangerous as a malicious user may
6+ be able to modify the meaning of the expression. In particular, such a user may be able to provide
7+ a regular expression fragment that takes exponential time in the worst case, and use that to
8+ perform a Denial of Service attack.
9+ </p >
10+ </overview >
211
3- <overview >
4- <p >
5- Constructing a regular expression with unsanitized user input is dangerous as a malicious user may
6- be able to modify the meaning of the expression. In particular, such a user may be able to provide
7- a regular expression fragment that takes exponential time in the worst case, and use that to
8- perform a Denial of Service attack.
9- </p >
10- </overview >
12+ <recommendation >
13+ <p >
14+ Before embedding user input into a regular expression, use a sanitization function such as
15+ <code >re.escape</code > to escape meta-characters that have a special meaning regarding
16+ regular expressions' syntax.
17+ </p >
18+ </recommendation >
1119
12- <recommendation >
13- <p >
14- Before embedding user input into a regular expression, use a sanitization function such as
15- <code >re.escape</code > to escape meta-characters that have a special meaning regarding
16- regular expressions' syntax.
17- </p >
18- </recommendation >
20+ <example >
21+ <p >
22+ The following examples are based on a simple Flask web server environment.
23+ </p >
24+ <p >
25+ The following example shows a HTTP request parameter that is used to construct a regular expression
26+ without sanitizing it first:
27+ </p >
28+ <sample src =" unit_tests/re_bad.py" />
29+ <p >
30+ Instead, the request parameter should be sanitized first, for example using the function
31+ <code >re.escape</code >. This ensures that the user cannot insert characters which have a
32+ special meaning in regular expressions.
33+ </p >
34+ <sample src =" examples/re_good.py" />
35+ </example >
1936
20- <example >
21- <p >
22- The following examples are based on a simple Flask web server environment.
23- </p >
24- <p >
25- The following example shows a HTTP request parameter that is used to construct a regular expression
26- without sanitizing it first:
27- </p >
28- <sample src =" unit_tests/re_bad.py" />
29- <p >
30- Instead, the request parameter should be sanitized first, for example using the function
31- <code >re.escape</code >. This ensures that the user cannot insert characters which have a
32- special meaning in regular expressions.
33- </p >
34- <sample src =" examples/re_good.py" />
35- </example >
36-
37- <references >
38- <li >
39- OWASP:
40- <a href =" https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" >Regular expression Denial of Service - ReDoS</a >.
41- </li >
42- <li >
43- Wikipedia: <a href =" https://en.wikipedia.org/wiki/ReDoS" >ReDoS</a >.
44- </li >
45- <li >
46- Python docs: <a href =" https://docs.python.org/3/library/re.html" >re</a >.
47- </li >
48- <li >
49- SonarSource: <a href =" https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631" >RSPEC-2631</a >
50- </li >
51- </references >
37+ <references >
38+ <li >
39+ OWASP:
40+ <a href =" https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" >Regular expression Denial of Service - ReDoS</a >.
41+ </li >
42+ <li >
43+ Wikipedia: <a href =" https://en.wikipedia.org/wiki/ReDoS" >ReDoS</a >.
44+ </li >
45+ <li >
46+ Python docs: <a href =" https://docs.python.org/3/library/re.html" >re</a >.
47+ </li >
48+ <li >
49+ SonarSource: <a href =" https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631" >RSPEC-2631</a >
50+ </li >
51+ </references >
5252</qhelp >
0 commit comments