Skip to content

Java: CWE-625 Query to detect regex dot bypass #9873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 31, 2022
Merged

Java: CWE-625 Query to detect regex dot bypass #9873

merged 7 commits into from
Aug 31, 2022

Conversation

luchua-bc
Copy link
Contributor

By default, "dot" (.) in regular expressions matches all characters except newline characters \n and
\r. Regular expressions containing a dot can be bypassed with the characters \r(%0a) and \n(%0d) when the default regex matching implementations of Java are used. When regular expressions serve to match protected resource patterns to grant access to protected application resources, attackers can gain access to unauthorized paths.

This query helps to detect insecure patterns and guard against unauthorized access by checking two patterns:

  • whether a safe regex pattern is used
  • whether a safe Java API is in place

Please consider to merge this PR.

Thanks,
@luchua-bc

@luchua-bc luchua-bc requested a review from a team as a code owner July 20, 2022 22:49
@luchua-bc luchua-bc mentioned this pull request Jul 20, 2022
Closed
2 tasks
atorralba
atorralba reviewed Aug 17, 2022
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @luchua-bc, thanks for your contribution. I made some inline comments, and also pushed a commit to make SpringUrlRedirect.qll a shared library, since you're reusing it from another experimental query.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 17, 2022
View reviewed changes
@atorralba atorralba force-pushed the java/permissive-dot-regex branch from f4fb4bb to 1d12bd1 Compare August 17, 2022 08:43
@luchua-bc
Copy link
Contributor Author

Thank @atorralba a lot for reviewing this PR. I’m on a vacation trip now and will work on the changes early next week after I’m back.

Have a nice day!

@luchua-bc

@luchua-bc
Copy link
Contributor Author

Thank @atorralba for the commit of shared library and the comments. I've made all the suggested changes.

Please review again when you have a chance.

Cheers,
@luchua-bc

atorralba
atorralba reviewed Aug 30, 2022
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added another comment.

Additionally, I tried to verify the Apache Shiro result with your query and it seems it's no longer working. Could you take a look?

@atorralba atorralba merged commit 2ec53bf into github:main Aug 31, 2022
@luchua-bc
Copy link
Contributor Author

Thank @atorralba a lot for all your help with this PR.

@atorralba atorralba mentioned this pull request Sep 1, 2022
Merged
@luchua-bc luchua-bc deleted the java/permissive-dot-regex branch September 2, 2022 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atorralba atorralba atorralba approved these changes

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@luchua-bc @atorralba