Regular Expression without AnchorsID: 777 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
The software uses a regular expression to perform
neutralization, but the regular expression is not anchored and may allow
malicious or malformed data to slip through.
Extended DescriptionWhen performing tasks such as whitelist validation, data is examined and
possibly modified to ensure that it is well-formed and adheres to a list of
safe values. If the regular expression is not anchored, malicious or
malformed data may be included before or after any string matching the
regular expression. The type of malicious data that is allowed will depend
on the context of the application and which anchors are omitted from the
regular expression.
Likelihood of Exploit: Low to Medium
Applicable PlatformsNone
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
AvailabilityConfidentialityAccess_Control | Bypass protection
mechanism | An unanchored regular expression in the context of a whitelist will
possibly result in a protection mechanism failure, allowing malicious or
malformed data to enter trusted regions of the program. The specific
consequences will depend on what functionality the whitelist was
protecting. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Be sure to understand both what will be matched and what will not be
matched by a regular expression. Anchoring the ends of the expression
will allow the programmer to define a whitelist strictly limited to what
is matched by the text in the regular expression. If you are using a
package that only matches one line by default, ensure that you can match
multi-line inputs if necessary. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-777 ChildOf CWE-625 | Weakness | CWE-1000CWE-699 | |
Demonstrative Examples (Details)
- Consider a web application that supports multiple languages. It
selects messages for an appropriate language by using the lang
parameter.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:None