Inefficient Regular Expression Complexity
Description
The application is constructing a regular expression with user-controllable input, which may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target.
Examples
Insecure Code
ruby
Regexp.new(user_input)Secure Code
ruby
ALLOWED_PATTERNS = { 'digits_only' => /^\d+$/ }; safe_pattern = ALLOWED_PATTERNS['digits_only']; target_data.match(safe_pattern)Remediation
Avoid allowing users to specify regular expressions processed by the server. If user-controllable input in a regular expression is necessary, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0547 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-1333 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | ReDoS, Regular Expression Denial of Service |
| OWASP | A6:2017-Security Misconfiguration, A04:2021-Insecure Design |
References
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/rails/security/brakeman/check-regex-dos.yaml
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS