Regular expressions should not allow Denial of Service attacks

Rule description

  • It is highly unrecommended to generate regular expressions from user data, because it can lead to Regular expression denial of service (ReDoS). This type of attack exploits the possibility that most expression implementations can reach extreme situations slowing them down drastically. An attacker can induce this situation when a program uses a regular expression and blocks it for a very long time (hence the denial of service).
  • Visual Expert pin-points such calls in your PowerBuilder code, allowing you to remove them or sanitize the input by removing/annihilating regex meta-characters.


Non-compliant Code Example

global function string matchRegexTest2 (string regPattern)
string findtext
findtext = "Hello test"
Match(findtext, regPattern)
Return regPattern
end function

Compliant Code Example

global function string matchRegexTest1 (string regPattern)
Match("hi test123", "^[A-Za-z]")
Return regPattern
end function
Visual Expert 2020