Regular expression injection¶
ID: js/regex-injection Kind: path-problem Security severity: 7.5 Severity: error Precision: high Tags: - security - external/cwe/cwe-730 - external/cwe/cwe-400 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls Click to see the query in the CodeQL repository
Constructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.
Recommendation¶
Before embedding user input into a regular expression, use a sanitization function such as lodash’s _.escapeRegExp to escape meta-characters that have special meaning.
Example¶
The following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:
varexpress=require('express');varapp=express();app.get('/findKey',function(req,res){varkey=req.param("key"),input=req.param("input");// BAD: Unsanitized user input is used to construct a regular expressionvarre=newRegExp("\\b"+key+"=(.*)\n");});Instead, the request parameter should be sanitized first, for example using the function _.escapeRegExp from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.
varexpress=require('express');var_=require('lodash');varapp=express();app.get('/findKey',function(req,res){varkey=req.param("key"),input=req.param("input");// GOOD: User input is sanitized before constructing the regexvarsafeKey=_.escapeRegExp(key);varre=newRegExp("\\b"+safeKey+"=(.*)\n");});