Skip to content

Regex Injection #1238

Description

@konstjar

The application appears to be utilizing user input to dynamically build regular expressions (regex).

The following request appears to be including user input when constructing regex expressions:

GET /WebAPI/featureextraction/query/prevalence/10/OPTUM?domain=demographic$
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/55.0.2883.87
Safari/537.36
Accept: / Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: null X-Requested-With: XMLHttpRequest
Connection: close
Cache-Control: no-transform

The server response indicates that the $ character is being interpreted as part of a regular expression:

HTTP/1.1 500
Connection: close
Content-Length: 18127
{
"payload":
{
"cause": null,
"stackTrace": [
{
"methodName": "appendReplacement",
"fileName": "Matcher.java",
"lineNumber": 857,
"className": "java.util.regex.Matcher",
"nativeMethod": false
},


{
"methodName": "run",
"fileName": "Thread.java",
"lineNumber": 748,
"className": "java.lang.Thread",
"nativeMethod": false
}
],
"message": "Illegal group reference",
"localizedMessage": "Illegal group reference",
"suppressed": []
},

Error Indicating a Failed Regular Expression

It did not appear that this finding could be abused by an anyone, however, there may be instances where a person could submit a regex value which would consume excessive system resources, creating a denial of service condition.

Recommendation(s)
The application should ensure that user input is not directly utilized when creating server side evaluations. In cases where this functionality is desired, the input should be sufficiently validated to ensure it is of well-formed and expected content, rejecting values which do not meet pre-defined constraints.

ReferencesCWE-20:
Improper Input Validation: https://cwe.mitre.org/data/definitions/20.html

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions