ruby.rails.security.brakeman.check-regex-dos.check-regex-dos
semgrep
Author
unknown
Download Count*
License
Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.
Run Locally
Run in CI
Defintion
rules:
- id: check-regex-dos
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern: |
cookies[...]
- patterns:
- pattern: |
cookies. ... .$PROPERTY[...]
- metavariable-regex:
metavariable: $PROPERTY
regex: (?!signed|encrypted)
- pattern: |
params[...]
- pattern: |
request.env[...]
- patterns:
- pattern: $Y
- pattern-either:
- pattern-inside: |
$RECORD.read_attribute($Y)
- pattern-inside: |
$RECORD[$Y]
- metavariable-regex:
metavariable: $RECORD
regex: "[A-Z][a-z]+"
pattern-sinks:
- patterns:
- pattern-either:
- patterns:
- pattern: $Y
- pattern-inside: |
/...#{...}.../
- patterns:
- pattern: $Y
- pattern-inside: |
Regexp.new(...)
message: Found a potentially user-controllable argument in the construction of a
regular expressions. This may result in excessive resource consumption
when applied to certain inputs, or when the user is allowed to control the
match target. Avoid allowing users to specify regular expressions
processed by the server. If you must support user-controllable input in a
regular expression, use an allow-list to restrict the expressions users
may supply to limit catastrophic backtracking.
languages:
- ruby
severity: ERROR
metadata:
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_regex_dos.rb
category: security
cwe:
- "CWE-1333: Inefficient Regular Expression Complexity"
owasp:
- A03:2017 - Sensitive Data Exposure
technology:
- ruby
- rails
references:
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Denial-of-Service (DoS)
Examples
check-regex-dos.rb
def some_rails_controller
foo = params[:some_regex]
#ruleid: check-regex-dos
Regexp.new(foo).match("some_string")
end
def some_rails_controller
foo = Record[something]
#ruleid: check-regex-dos
Regexp.new(foo).match("some_string")
end
def some_rails_controller
foo = Record.read_attribute("some_attribute")
#ruleid: check-regex-dos
Regexp.new(foo).match("some_string")
bar = ENV['someEnvVar']
#ok: check-regex-dos
Regexp.new(bar).match("some_string")
end
def use_params_in_regex
#ruleid: check-regex-dos
@x = something.match /#{params[:x]}/
end
def regex_on_params
#ok: check-regex-dos
@x = params[:x].match /foo/
end
Short Link: https://sg.run/qZwx