csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the "Notes to Callers" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0

Run Locally

Run in CI

Defintion

rules:
  - id: regular-expression-dos-infinite-timeout
    severity: WARNING
    languages:
      - C#
    metadata:
      cwe:
        - "CWE-1333: Inefficient Regular Expression Complexity"
      owasp: A01:2017 - Injection
      references:
        - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
        - https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout
        - https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0
      category: security
      technology:
        - .net
      confidence: MEDIUM
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: 'Specifying the regex timeout leaves the system vulnerable to a
      regex-based Denial of Service (DoS) attack.  Consider setting the timeout
      to a short amount of time like 2 or 3 seconds. If you are sure you need an
      infinite timeout, double check that your context meets the conditions
      outlined in the "Notes to Callers" section at the bottom of this
      page:  https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0'
    patterns:
      - pattern-inside: |
          using System.Text.RegularExpressions;
          ...
      - pattern-either:
          - pattern: new Regex(..., TimeSpan.InfiniteMatchTimeout)
          - patterns:
              - pattern: new Regex(..., TimeSpan.FromSeconds($TIME))
              - metavariable-comparison:
                  metavariable: $TIME
                  comparison: $TIME > 5
          - pattern: new Regex(..., TimeSpan.FromMinutes(...))
          - pattern: new Regex(..., TimeSpan.FromHours(...))

Examples

regular-expression-dos-infinite-timeout.cs

using System.Text.RegularExpressions;

namespace RegularExpressionsDosInfiniteTimeout
{
    public class RegularExpressionsDosInfiniteTimeout
    {
        // ok
        Regex rgx = new Regex(pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(1));
        
        // ruleid: regular-expression-dos-infinite-timeout
        Regex rgx = new Regex(pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(10));
        
        // ruleid: regular-expression-dos-infinite-timeout
        Regex rgx = new Regex(pattern, RegexOptions.IgnoreCase, TimeSpan.InfiniteMatchTimeout);

        // ruleid: regular-expression-dos-infinite-timeout
        Regex rgx = new Regex(pattern, RegexOptions.IgnoreCase, TimeSpan.FromMinutes(1));
        
        // ruleid: regular-expression-dos-infinite-timeout
        Regex rgx = new Regex(pattern, RegexOptions.IgnoreCase, TimeSpan.FromHours(1));
    }
}