Unsafe regular expression

Severity
High
Applies to
Step
Links
CWE-1333

Why This Issue Is Important

Using unsafe regular expressions can lead to security vulnerabilities such as ReDoS (Regular Expression Denial of Service) attacks, which can cause performance degradation or even crashes in your API. Moreover, improper use of regex boundaries or unlimited quantifiers can lead to unexpected behavior, allowing an attacker to bypass validation checks or exploit other parts of the system.

How This Issue Is Detected

The rule checks all flow variables in the step for any use of unsafe regular expressions. It analyzes the regex patterns for common issues like missing start or end boundaries, unrestricted dot usage, unlimited quantifiers, and potential ReDoS vulnerabilities. If any of these patterns are found, an issue is raised.

How to Fix the Issue

Use boundaries: ensure that your regex patterns have proper start (^) and end ($) boundaries to avoid partial matches.

Limit quantifiers: avoid using unlimited quantifiers like (*) or (+) without restrictions. Use more specific patterns that match the exact expected input.

Avoid dot metacharacter: use character classes instead of (.) to prevent matching any character, which could lead to unintended consequences.

Check for ReDoS: avoid patterns that could lead to exponential backtracking, such as nested quantifiers ((a+)+).