Denial Of Services Java Regex Pattern

SonarQube Server / Community Build
1

Good morning, I am currently working with Java and I am passing my code through SonarQube and I am having the following issue associated with a SecurityHospost:

Denial Of Services (DOS):

Make sure the regex used here, which is vulnerable to polynomial runtime due to backtracking, cannot lead to denial of service.

The same happens for the following Regex validation:

    private static void validateIdentityId(String identityId) {
        if(!Pattern.matches("^(.)*?(58).*",identityId)){
            throw  new EmptyDataExceptionQueryParam("Parametro identityId (PhoneNumber) enviado es incorrecto para Venezuela");
        }
    }
 }

How can you remedy this?

2

Hi,

It’s the nature of Security Hotspots that you don’t necessarily make them go away. A Security Hotspot is raised when an understanding of the larger context is required to understand whether there’s really a problem or it’s okay. If it’s okay, you can just mark it “Safe” and move on. If there’s really a problem - and the rule description should help you determine that - then you’ll need to add some additional safeguards around the code or perhaps change it wholesale. And again, the rule description should be helpful there in figuring out what needs to happen.

 
HTH,
Ann

1 Like