Follow

Follow

# Code Smell 185 - Evil Regular Expressions

## Regular expressions are a code smell. Sometimes also a vulnerability

Maxi Contieri⭐⭐⭐
·Dec 8, 2022·

• Problems
• Solutions
• Context
• Sample Code
• Detection
• Tags
• Conclusion
• Relations
• Disclaimer
• Credits

TL;DR: Try to minimize Regular Expression's recursive rules.

# Problems

• Security Issues

• Premature Optimization

# Solutions

1. Cover the cases with tests to see if they halt

2. Use algorithms instead of regular expressions

# Context

This is known as ReDos attack, a subtype of a Denial of Service attack.

ReDoS attacks can be divided into two types:

A string with an evil pattern is passed to an application. Then this string is used as a regex, which leads to ReDoS.

A string with a vector attack format is passed to an application. Then this string is evaluated by a vulnerable regex, which leads to ReDoS.

# Sample Code

## Wrong

``````package main

import (
"regexp"
"fmt"
)

func main() {
var re = regexp.MustCompile(`^(([a-z])+.)+[A-Z]([a-z])+\$`)
var str = `aaaaaaaaaaaaaaaaaaaaaaaa!`

for i, match := range re.FindAllString(str, -1) {
fmt.Println(match, "found at index", i)
}
}
``````

## Right

``````package main

import (
"fmt"
"strings"
)

func main() {
var str = `aaaaaaaaaaaaaaaaaaaaaaaa!`

words := strings.Fields(str)

for i, word := range words {
if len(word) >= 2 && word[0] >= 'a' && word[0] <= 'z' && word[len(word)-1] >= 'A'
&& word[len(word)-1] <= 'Z' {
fmt.Println(word, "found at index", i)
}
}
}
``````

# Detection

[X] Semi-Automatic

Many languages avoid this kind of regular expression.

We can also scan the code for this vulnerability.

• Security

# Conclusion

Regular Expressions are tricky and hard to debug.

We should avoid them as much as possible.

# Relations

Catastrophic backtracking: how can a regular expression cause a ReDoS vulnerability?

https://owasp.org/www-community/attacks/Regular_expression_Denial_ofService-_ReDoS

Runaway Regular Expressions: Catastrophic Backtracking

# Disclaimer

Code Smells are just my opinion.

# Credits

Photo by engin akyurt on Unsplash

Some people, when confronted with a problem, think “I know, I’ll use regular expressions.” Now they have two problems.

Jamie Zawinski