ID: js/regex-injection Kind: path-problem Security severity: 7.5 Severity: error Precision: high Tags: - security - external/cwe/cwe-730 - external/cwe/cwe-400 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Constructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.
Recommendation¶
Before embedding user input into a regular expression, use a sanitization function such as lodash’s _.escapeRegExp to escape meta-characters that have special meaning.
Example¶
The following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:
var express = require('express'); var app = express(); app.get('/findKey', function(req, res) { var key = req.param("key"), input = req.param("input"); // BAD: Unsanitized user input is used to construct a regular expression var re = new RegExp("\\b" + key + "=(.*)\n"); });
Instead, the request parameter should be sanitized first, for example using the function _.escapeRegExp from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.
var express = require('express'); var _ = require('lodash'); var app = express(); app.get('/findKey', function(req, res) { var key = req.param("key"), input = req.param("input"); // GOOD: User input is sanitized before constructing the regex var safeKey = _.escapeRegExp(key); var re = new RegExp("\\b" + safeKey + "=(.*)\n"); });