CodeQL documentation

Overly permissive regular expression range

ID: py/overly-large-range
Kind: problem
Security severity: 5.0
Severity: warning
Precision: high
   - correctness
   - security
   - external/cwe/cwe-020
Query suites:
   - python-code-scanning.qls
   - python-security-extended.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

It’s easy to write a regular expression range that matches a wider range of characters than you intended. For example, /[a-zA-z]/ matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: [ \ ] ^ _ `.

Another common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class [a-zA-Z0-9%=.,-_] the last character range matches the 55 characters between , and _ (both included), which overlaps with the range [0-9] and is clearly not intended by the writer.


Avoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.


The following example code is intended to check whether a string is a valid 6 digit hex color.

import re
def is_valid_hex_color(color):
    return re.match(r'^#[0-9a-fA-f]{6}$', color) is not None

However, the A-f range is overly large and matches every uppercase character. It would parse a “color” like #XXYYZZ as valid.

The fix is to use an uppercase A-F range instead.

import re
def is_valid_hex_color(color):
    return re.match(r'^#[0-9a-fA-F]{6}$', color) is not None


  • © GitHub, Inc.
  • Terms
  • Privacy