CodeQL documentation

Overly permissive regular expression range

ID: js/overly-large-range
Kind: problem
Security severity: 5.0
Severity: warning
Precision: high
Tags:
   - correctness
   - security
   - external/cwe/cwe-020
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

It’s easy to write a regular expression range that matches a wider range of characters than you intended. For example, /[a-zA-z]/ matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: [ \ ] ^ _ `.

Another common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class [a-zA-Z0-9%=.,-_] the last character range matches the 55 characters between , and _ (both included), which overlaps with the range [0-9] and is clearly not intended by the writer.

Recommendation

Avoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.

Example

The following example code is intended to check whether a string is a valid 6 digit hex color.

function isValidHexColor(color) {
    return /^#[0-9a-fA-f]{6}$/i.test(color);
}

However, the A-f range is overly large and matches every uppercase character. It would parse a “color” like #XXYYZZ as valid.

The fix is to use an uppercase A-F range instead.

function isValidHexColor(color) {
    return /^#[0-9A-F]{6}$/i.test(color);
}

References

  • © GitHub, Inc.
  • Terms
  • Privacy