search

hintwatermelon / roller4

Mirror of Apache Roller
Apache License 2.0
0 stars 0 forks source link

(CodeQL) Escaped regex metacharacters to prevent abuse #1

Open pixeebot-helm-test[bot] opened 4 hours ago

pixeebot-helm-test[bot] commented 4 hours ago

Remediation

This change fixes findings identified by CodeQL.

Details

This change fixes Regex Injection vulnerabilities by escaping the user input before using it in a regular expression. This is important because untrusted input can contain special characters that can change the behavior of the regular expression, leading to security vulnerabilities like denial of service, or change the application behavior to match in unexpected situations, possibly causing logical vulnerabilities.

Our changes look like this:

  import java.util.regex.Pattern;

  // run the regex
- Pattern p = Pattern.compile(userInput);
+ Pattern p = Pattern.compile(Pattern.quote(userInput));
  Matcher m = p.matcher(input);
  if (m.find()) {
    // do something
  }
More reading * [https://cwe.mitre.org/data/definitions/400.html](https://cwe.mitre.org/data/definitions/400.html) * [https://wiki.sei.cmu.edu/confluence/display/java/IDS08-J.+Sanitize+untrusted+data+included+in+a+regular+expression](https://wiki.sei.cmu.edu/confluence/display/java/IDS08-J.+Sanitize+untrusted+data+included+in+a+regular+expression)

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: codeql:java/regex-injection