Recipe Name:
Regex Injection
Description:
Use Pattern#quote to include untrusted input in regexes.
Level:
error
Language:
  • java
Tags:
  • security
  • SEI CERT
  • Java basic
  • injection
  • OWASP Top 10
Documentation

Allowing untrusted input in regular expressions can lead to the unintentional inclusion of sensitive data or denial-of-service vulnerabilities.

Untrusted input should be sanitized before it is used as part of regular expressions. To do so, the Pattern class provides the Quote method.

Before
public static void FindLogEntry(String search) {
    // Construct regex dynamically from user string
    String regex = "(.*? +public\\[\\d+\\] +.*" + search + ".*)";
}
After
public static void FindLogEntry(String search) {
    // Sanitize search string
    search = Pattern.quote(search);
    // Construct regex dynamically from user string
    String regex = "(.*? +public\\[\\d+\\] +.*" + search + ".*)";
}
References
Recipe
id: scw:java:regex-injection
version: 10
metadata:
  name: Regex Injection
  shortDescription: Use Pattern#quote to include untrusted input in regexes.
  level: error
  language: java
  cweCategory: 625
  enabled: true
  descriptionFile: descriptions/Regex_Injection.html
  tags: security;SEI CERT;Java basic;injection;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          containsUntrustedInput: true
          trustedSources:
          - methodcall:
              name: quote
              type: java.util.regex.Pattern
    name: compile
    type: java.util.regex.Pattern
availableFixes:
- name: Wrap the untrusted input in Pattern#quote
  actions:
  - rewrite:
      to: java.util.regex.Pattern.quote({{{.}}})
      target: self