Skip to main content

Insecure Use of Regular Expressions

Fixing Regex Code Execution

About Regex Code Execution

What is Regex Code Execution?

Regex code execution describes the use of regular expressions in a way that can cause unexpected or unintended behavior, leading to security vulnerabilities.

This weakness occurs when a regular expression pattern is incorrectly written or interpreted in a way that causes the regular expression engine to execute arbitrary code or cause unintended side effects.

What is the impact of Regex Code Execution?

A successful regex code execution attack can have a significant impact, such as:

  • Injection of arbitrary code or commands: An attacker may inject arbitrary code or commands through regular expression input, leading to unauthorized access to sensitive data, system compromise, or data loss.
  • Bypass of security controls: Attackers may use regular expressions to bypass security controls, such as input validation or sanitization, to gain unauthorized access to systems or to escalate privileges.

How to prevent regex code execution?

To prevent regex code execution, it is essential to follow secure coding practices that minimize the risk of accepting and processing malicious input. Here are some measures that can help prevent regex code execution:

  • Input validation and sanitization: Ensure that user input is validated and sanitized before it is used to generate regular expressions. Use regular expressions or input filters to remove or encode any special characters that could be used to execute arbitrary code.
  • Use secure libraries: Use up-to-date and secure regular expression libraries that are well-maintained and well-documented. This can help prevent the use of deprecated libraries that are no longer considered secure.

References

Taxonomies

Note: This issue only affects applications prior to PHP 7.0.0. The /e modifier is deprecated since 5.5.0 and has been removed with 7.0.0.

Option A: Use the preg_replace_callback()

  1. Go through the issues that GuardRails identified in the PR/MR

  2. Locate preg_replace() functions with the /e modifier

    <?php
    $html = $_POST['html'];

    // uppercase headings
    $html = preg_replace(
        '(<h([1-6])>(.*?)</h\1>)e',
        '"<h$1>" . strtoupper("$2") . "</h$1>"',
        $html
    );

  3. Replace preg_replace with preg_replace_callback:

    <?php
    $html = $_POST['html'];

    // uppercase headings
    $html = preg_replace_callback(
        '(<h([1-6])>(.*?)</h\1>)',
        function ($m) {
            return "<h$m[1]>" . strtoupper($m[2]) . "</h$m[1]>";
        },
        $html
    );

  4. Test it

  5. Ship it 🚢 and relax 🌴

Last updated on by Stefan Streichsbier