Regular expression injection¶
ID: rb/regexp-injection
Kind: path-problem
Security severity: 7.5
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-1333
- external/cwe/cwe-730
- external/cwe/cwe-400
Query suites:
- ruby-code-scanning.qls
- ruby-security-extended.qls
- ruby-security-and-quality.qls
Click to see the query in the CodeQL repository
Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.
Recommendation¶
Before embedding user input into a regular expression, use a sanitization function such as Regexp.escape to escape meta-characters that have special meaning.
Example¶
The following examples construct regular expressions from an HTTP request parameter without sanitizing it first:
class UsersController < ActionController::Base
def first_example
# BAD: Unsanitized user input is used to construct a regular expression
regex = /#{ params[:key] }/
end
def second_example
# BAD: Unsanitized user input is used to construct a regular expression
regex = Regexp.new(params[:key])
end
end
Instead, the request parameter should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.
class UsersController < ActionController::Base
def example
# GOOD: User input is sanitized before constructing the regular expression
regex = Regexp.new(Regex.escape(params[:key]))
end
end
References¶
Wikipedia: ReDoS.
Ruby: Regexp.escape.
Common Weakness Enumeration: CWE-1333.
Common Weakness Enumeration: CWE-730.
Common Weakness Enumeration: CWE-400.