Home
Regular expressions should not allow Denial of Service attacks
Rule description
- It is highly unrecommended to generate regular expressions from user data, because it can lead to Regular expression denial of service (ReDoS). This type of attack exploits the possibility that most expression implementations can reach extreme situations slowing them down drastically. An attacker can induce this situation when a program uses a regular expression and blocks it for a very long time (hence the denial of service).
- Visual Expert pin-points such calls in your PowerBuilder code, allowing you to remove them or sanitize the input by removing/annihilating regex meta-characters.
Non-compliant Code Example
global function string matchRegexTest2 (string regPattern) string findtext findtext = "Hello test" Match(findtext, regPattern) Return regPattern end function
Compliant Code Example
global function string matchRegexTest1 (string regPattern) Match("hi test123", "^[A-Za-z]") Return regPattern end function