Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruby: add regex injection query #6978

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Ruby: add regex injection query #6978

wants to merge 3 commits into from

Conversation

Reviewers

@intrigus-lgtm intrigus-lgtm

@github/codeql-ruby codeql-ruby

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Ruby
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
@nickrolfe @intrigus-lgtm
@nickrolfe
Copy link
Contributor

@nickrolfe nickrolfe commented Oct 27, 2021

No description provided.

@nickrolfe
Ruby: add regex injection query
11154a9
@nickrolfe nickrolfe added the Ruby label Oct 27, 2021
@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Oct 27, 2021

QHelp previews:

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

@nickrolfe
Ruby: fix qhelp
bd92403
@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Oct 28, 2021

QHelp previews:

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

Regular expression injection

Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as Regexp.escape to escape meta-characters that have special meaning.

Example

The following examples construct regular expressions from an HTTP request parameter without sanitizing it first:

class UsersController < ActionController::Base
  def first_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = /#{ params[:key] }/
  end

  def second_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = Regexp.new(params[:key])
  end
end

Instead, the request parameter should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.

class UsersController < ActionController::Base
  def example
    # GOOD: User input is sanitized before constructing the regular expression
    regex = Regexp.new(Regex.escape(params[:key]))
  end
end

References

@nickrolfe nickrolfe marked this pull request as ready for review Oct 29, 2021
@nickrolfe nickrolfe requested a review from as a code owner Oct 29, 2021
@nickrolfe
Copy link
Contributor Author

@nickrolfe nickrolfe commented Oct 29, 2021

I still need to get a successful DCA run to check performance, but otherwise I think this ready for review.

@nickrolfe
Ruby: add change note for rb/regexp-injection
fed0a06
@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Oct 29, 2021

QHelp previews:

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

Regular expression injection

Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as Regexp.escape to escape meta-characters that have special meaning.

Example

The following examples construct regular expressions from an HTTP request parameter without sanitizing it first:

class UsersController < ActionController::Base
  def first_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = /#{ params[:key] }/
  end

  def second_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = Regexp.new(params[:key])
  end
end

Instead, the request parameter should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.

class UsersController < ActionController::Base
  def example
    # GOOD: User input is sanitized before constructing the regular expression
    regex = Regexp.new(Regex.escape(params[:key]))
  end
end

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment