Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: Regex injection #5704

Merged
merged 7 commits into from Jun 1, 2021
Merged

Java: Regex injection #5704

merged 7 commits into from Jun 1, 2021

Conversation

ghost
Copy link

@ghost ghost commented Apr 16, 2021

No description provided.

@ghost ghost self-requested a review as a code owner April 16, 2021 20:33
@ghost ghost changed the title [Java]: Regex injection Java: Regex injection Apr 16, 2021
@Marcono1234
Copy link
Contributor

Maybe it would be good to cover Apache Commons Lang's RegExUtils as well since there is already some support for that class provided by the Java CodeQL library, see #5339.

It might be useful to model all methods accepting regex arguments in some way so future queries (e.g. DoS from hardcoded regex patterns, or erroneous regex patterns) can reuse it. Though I am not a member of this project, so I can't tell if and how that should be implemented.

@ghost
Copy link
Author

ghost commented Apr 19, 2021

Maybe it would be good to cover Apache Commons Lang's RegExUtils

Good idea, will do that.

Marcono1234
Marcono1234 reviewed Apr 21, 2021
View reviewed changes
Copy link
Contributor

@Marcono1234 Marcono1234 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The following review comments are mostly cosmetic.

An interesting aspect might also be the replacement string of the replace calls. That string supports referencing captured groups (see documentation), including $0 to reference the complete match. This might be abusable:

"1234567890".replaceFirst("\\d+", "$0$0$0$0$0$0$0$0$0$0$0")
> 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

Depending on how large the match is and whether there are any length restrictions on the replacement string this could allow DoS attacks through high memory usage.
What do you think? (Though the projects on which I tried a query checking for this had no results)

java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
}
}

abstract class Sanitizer extends DataFlow::ExprNode { }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since only RegExpSanitizationCall is extending this class it might be best to remove it and have RegExpSanitizationCall directly extend DataFlow::ExprNode (unless this pull request is not finished yet and you are planning to add more sanitizers).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You never know when pull request is finished :)

java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql Show resolved Hide resolved
@ghost
Copy link
Author

ghost commented Apr 22, 2021

The following review comments are mostly cosmetic.

An interesting aspect might also be the replacement string of the replace calls. That string supports referencing captured groups (see documentation), including $0 to reference the complete match. This might be abusable:

"1234567890".replaceFirst("\\d+", "$0$0$0$0$0$0$0$0$0$0$0")
> 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

Depending on how large the match is and whether there are any length restrictions on the replacement string this could allow DoS attacks through high memory usage.
What do you think? (Though the projects on which I tried a query checking for this had no results)

User input in any of the regex arguments could alter the program logic. In this case I think it can only throw out of memory exception, that is far away from CPU intensive regex DoS.

@ghost ghost mentioned this pull request Apr 26, 2021
Closed
1 task
@tamasvajk
Copy link
Contributor

I started an LGTM analysis of this query.

@ghost
Copy link
Author

ghost commented May 24, 2021

Ping

@smowton
Copy link
Contributor

smowton commented May 27, 2021

@tamasvajk

@tamasvajk
Copy link
Contributor

@smowton I asked @aschackmull to have a final look. He'll check the PR next week.

@aschackmull
Copy link
Contributor

Looks ok to me.

@aschackmull aschackmull merged commit a4661e1 into github:main Jun 1, 2021
@ghost ghost mentioned this pull request Aug 18, 2021
Closed
@jcogs33 jcogs33 mentioned this pull request Nov 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tamasvajk tamasvajk

@aschackmull aschackmull

Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Marcono1234 @tamasvajk @smowton @aschackmull