Modification after validation
Description
The application matches a variable during a regular expression pattern match and then calls string modification functions after validation has occurred, which can be indicative of a poor input validation strategy and potentially exploitable by an adversary.
Examples
Insecure Code
java
String input = "test../....//dir";
Pattern pattern = Pattern.compile("\\.\\.");
Matcher match = pattern.matcher(input);
input = input.replace("../", "");
if (match.find()) {
throw new Exception(".. detected");
}Secure Code
java
String input = "test../....//dir";
input = input.replaceAll("\\.\\.", "");
Pattern pattern = Pattern.compile("\\.\\.");
Matcher match = pattern.matcher(input);
if (match.find()) {
throw new Exception(".. detected");
}Remediation
Perform string modifications before any validation of a string and consider encoding strings instead of replacing or removing characters prior to validation.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0726 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-182 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | input validation, regular expression, string modification |
| OWASP | A1:2017-Injection, A03:2021-Injection |