ruby.rails.security.brakeman.check-regex-dos.check-regex-dos

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.

Run Locally

Run in CI

Defintion

rules:
  - id: check-regex-dos
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern: |
                  cookies[...]
              - patterns:
                  - pattern: |
                      cookies. ... .$PROPERTY[...]
                  - metavariable-regex:
                      metavariable: $PROPERTY
                      regex: (?!signed|encrypted)
              - pattern: |
                  params[...]
              - pattern: |
                  request.env[...]
              - patterns:
                  - pattern: $Y
                  - pattern-either:
                      - pattern-inside: |
                          $RECORD.read_attribute($Y)
                      - pattern-inside: |
                          $RECORD[$Y]
                  - metavariable-regex:
                      metavariable: $RECORD
                      regex: "[A-Z][a-z]+"
    pattern-sinks:
      - patterns:
          - pattern-either:
              - patterns:
                  - pattern: $Y
                  - pattern-inside: |
                      /...#{...}.../
              - patterns:
                  - pattern: $Y
                  - pattern-inside: |
                      Regexp.new(...)
    message: Found a potentially user-controllable argument in the construction of a
      regular expressions. This may result in excessive resource consumption
      when applied to certain inputs, or when the user is allowed to control the
      match target. Avoid allowing users to specify regular expressions
      processed by the server. If you must support user-controllable input in a
      regular expression, use an allow-list to restrict the expressions users
      may supply to limit catastrophic backtracking.
    languages:
      - ruby
    severity: ERROR
    metadata:
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_regex_dos.rb
      category: security
      cwe:
        - "CWE-1333: Inefficient Regular Expression Complexity"
      owasp:
        - A03:2017 - Sensitive Data Exposure
      technology:
        - ruby
        - rails
      references:
        - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Denial-of-Service (DoS)

Examples

check-regex-dos.rb

def some_rails_controller
  foo = params[:some_regex]
  #ruleid: check-regex-dos
  Regexp.new(foo).match("some_string")
end

def some_rails_controller
  foo = Record[something]
  #ruleid: check-regex-dos
  Regexp.new(foo).match("some_string")
end

def some_rails_controller
  foo = Record.read_attribute("some_attribute")
  #ruleid: check-regex-dos
  Regexp.new(foo).match("some_string")

  bar = ENV['someEnvVar']
  #ok: check-regex-dos
  Regexp.new(bar).match("some_string")
end

def use_params_in_regex
#ruleid: check-regex-dos
@x = something.match /#{params[:x]}/
end

def regex_on_params
#ok: check-regex-dos
@x = params[:x].match /foo/
end