(CodeQL) Fixed finding: "Regular expression injection"

[pixeebot[bot]]

Remediation

This change fixes "Regular expression injection" (id = regex-injectiom) identified by CodeQL.

Details

This change fixes Regex Injection vulnerabilities by escaping the user input before using it in a regular expression. This is important because untrusted input can contain special characters that can change the behavior of the regular expression, leading to security vulnerabilities like denial of service, or change the application behavior to match in unexpected situations, possibly causing logical vulnerabilities.

Our changes look like this:

  import java.util.regex.Pattern;

  // run the regex
- Pattern p = Pattern.compile(userInput);
+ Pattern p = Pattern.compile(Pattern.quote(userInput));
  Matcher m = p.matcher(input);
  if (m.find()) {
    // do something
  } 

More reading

* [https://cwe.mitre.org/data/definitions/400.html](https://cwe.mitre.org/data/definitions/400.html) * [https://wiki.sei.cmu.edu/confluence/display/java/IDS08-J.+Sanitize+untrusted+data+included+in+a+regular+expression](https://wiki.sei.cmu.edu/confluence/display/java/IDS08-J.+Sanitize+untrusted+data+included+in+a+regular+expression)

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: codeql:java/regex-injection

[pixeebot[bot]]

I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?

If this change was not helpful, or you have suggestions for improvements, please let me know!

[pixeebot[bot]]

Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!