Insecure Use of Regular Expressions
Fixing Regex Code Execution
About Regex Code Execution
What is Regex Code Execution?
Regex code execution describes the use of regular expressions in a way that can cause unexpected or unintended behavior, leading to security vulnerabilities.
This weakness occurs when a regular expression pattern is incorrectly written or interpreted in a way that causes the regular expression engine to execute arbitrary code or cause unintended side effects.
What is the impact of Regex Code Execution?
A successful regex code execution attack can have a significant impact, such as:
- Injection of arbitrary code or commands: An attacker may inject arbitrary code or commands through regular expression input, leading to unauthorized access to sensitive data, system compromise, or data loss.
- Bypass of security controls: Attackers may use regular expressions to bypass security controls, such as input validation or sanitization, to gain unauthorized access to systems or to escalate privileges.
How to prevent regex code execution?
To prevent regex code execution, it is essential to follow secure coding practices that minimize the risk of accepting and processing malicious input. Here are some measures that can help prevent regex code execution:
- Input validation and sanitization: Ensure that user input is validated and sanitized before it is used to generate regular expressions. Use regular expressions or input filters to remove or encode any special characters that could be used to execute arbitrary code.
- Use secure libraries: Use up-to-date and secure regular expression libraries that are well-maintained and well-documented. This can help prevent the use of deprecated libraries that are no longer considered secure.
References
Taxonomies
Note: This issue only affects applications prior to PHP 7.0.0.
The /e
modifier is deprecated since 5.5.0 and has been removed with 7.0.0.
Option A: Use the preg_replace_callback()
Go through the issues that GuardRails identified in the PR/MR
Locate
preg_replace()
functions with the/e
modifier<?php
$html = $_POST['html'];
// uppercase headings
$html = preg_replace(
'(<h([1-6])>(.*?)</h\1>)e',
'"<h$1>" . strtoupper("$2") . "</h$1>"',
$html
);Replace
preg_replace
withpreg_replace_callback
:<?php
$html = $_POST['html'];
// uppercase headings
$html = preg_replace_callback(
'(<h([1-6])>(.*?)</h\1>)',
function ($m) {
return "<h$m[1]>" . strtoupper($m[2]) . "</h$m[1]>";
},
$html
);Test it
Ship it 🚢 and relax 🌴