JavaScript 中的 SonarQube Regex 漏洞问题
SonarQube Regex vulnerability issue in JavaScript
只要我在 JavaScript 代码中使用 Regex,SonarQube 就会显示漏洞问题。 JavaScript 中是否有正则表达式的替代方法?
错误: Make sure that using a regular expression is safe here.
正则表达式示例: '(^(?=[A-Za-z0-9\._-]*$)(?=.*[A-Za-z0-9]).*$)'
这不是真正的问题,而是安全警告。
你检查过SonarQube对错误的描述了吗?
Evaluating regular expressions against input strings is potentially an
extremely CPU-intensive task. Specially crafted regular expressions
such as (a+)+s will take several seconds to evaluate the input string
aaaaaaaaaaaaaaaaaaaaaaaaaaaaabs.
The problem is that with every additional a character added to the
input, the time required to evaluate the regex doubles. However, the
equivalent regular expression, a+s (without grouping) is efficiently
evaluated in milliseconds and scales linearly with the input size.
Evaluating such regular expressions opens the door to Regular
expression Denial of Service (ReDoS) attacks. In the context of a web
application, attackers can force the web server to spend all of its
resources evaluating regular expressions thereby making the service
inaccessible to genuine users.
This rule flags any execution of a hardcoded regular expression which
has at least 3 characters and at least two instances of any of the
following characters: *+{.
Example: (a+)*
Ask Yourself Whether • the executed regular expression is sensitive
and a user can provide a string which will be analyzed by this regular
expression. • your regular expression engine performance decrease
with specially crafted inputs and regular expressions.
You may be at risk if you answered yes to any of those questions.
要解决此问题,您需要人工检查 RegEx 是否存在风险。如果不是,您可以将其标记为误报,否则,可能必须检查正则表达式。
有关正则表达式 DoS 问题的更多信息,请访问 OWASP web site
字符串正则表达式 = request.getParameter("正则表达式");
字符串输入 = request.getParameter("输入");
input.matches(Pattern.quote(正则表达式));
// 兼容:Pattern.quote 元字符或转义序列将没有特殊含义
注意:- 在声纳中工作
只要我在 JavaScript 代码中使用 Regex,SonarQube 就会显示漏洞问题。 JavaScript 中是否有正则表达式的替代方法?
错误: Make sure that using a regular expression is safe here.
正则表达式示例: '(^(?=[A-Za-z0-9\._-]*$)(?=.*[A-Za-z0-9]).*$)'
这不是真正的问题,而是安全警告。
你检查过SonarQube对错误的描述了吗?
Evaluating regular expressions against input strings is potentially an extremely CPU-intensive task. Specially crafted regular expressions such as (a+)+s will take several seconds to evaluate the input string aaaaaaaaaaaaaaaaaaaaaaaaaaaaabs.
The problem is that with every additional a character added to the input, the time required to evaluate the regex doubles. However, the equivalent regular expression, a+s (without grouping) is efficiently evaluated in milliseconds and scales linearly with the input size.
Evaluating such regular expressions opens the door to Regular expression Denial of Service (ReDoS) attacks. In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making the service inaccessible to genuine users.
This rule flags any execution of a hardcoded regular expression which has at least 3 characters and at least two instances of any of the following characters: *+{.
Example: (a+)*
Ask Yourself Whether • the executed regular expression is sensitive and a user can provide a string which will be analyzed by this regular expression. • your regular expression engine performance decrease with specially crafted inputs and regular expressions.
You may be at risk if you answered yes to any of those questions.
要解决此问题,您需要人工检查 RegEx 是否存在风险。如果不是,您可以将其标记为误报,否则,可能必须检查正则表达式。
有关正则表达式 DoS 问题的更多信息,请访问 OWASP web site
字符串正则表达式 = request.getParameter("正则表达式"); 字符串输入 = request.getParameter("输入");
input.matches(Pattern.quote(正则表达式));
// 兼容:Pattern.quote 元字符或转义序列将没有特殊含义
注意:- 在声纳中工作