Regular expression with inefficient worst-case complexity (ReDoS)
ID |
c.denial_of_service.regex_dos |
Severity |
low |
Resource |
Denial Of Service |
Language |
C / C++ |
Description
The software uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Poorly constructed regular expressions that exhibit exponential runtime when fed specifically crafted inputs can cause RegEx denial of service (ReDoS).
Rationale
The software uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Poorly constructed regular expressions that exhibit exponential runtime when fed specifically crafted inputs can cause RegEx denial of service (ReDoS).
The following code illustrates a vulnerable pattern detected by this rule:
int ret;
// VULNERABLE: Regular expression with inefficient worst-case complexity (ReDoS)
char regex[] = "^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$"
ret = regcomp(&r1,
// VULNERABLE: Regular expression with inefficient worst-case complexity (ReDoS)
"^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$",
0);
if (ret)
return 1;
if (ret = regcomp(&r2,
// VULNERABLE: Regular expression with inefficient worst-case complexity (ReDoS)
"^([a-zA-Z0-9])(([\-.]|[_]+)?"
"([a-zA-Z0-9]+))*(@){1}[a-z0-9]+"
"[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$",
0))
return 1;
ret = regcomp(&r3, regex, 0);
if (ret)
return 1;
return 0;
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A03 : Injection.