Denial Of Services Java Regex Pattern

justoville · May 10, 2024, 11:58am

Good morning, I am currently working with Java and I am passing my code through SonarQube and I am having the following issue associated with a SecurityHospost:

Denial Of Services (DOS):

Make sure the regex used here, which is vulnerable to polynomial runtime due to backtracking, cannot lead to denial of service.

The same happens for the following Regex validation:

    private static void validateIdentityId(String identityId) {
        if(!Pattern.matches("^(.)*?(58).*",identityId)){
            throw  new EmptyDataExceptionQueryParam("Parametro identityId (PhoneNumber) enviado es incorrecto para Venezuela");
        }
    }
 }

How can you remedy this?

ganncamp · May 13, 2024, 3:55pm

Hi,

It’s the nature of Security Hotspots that you don’t necessarily make them go away. A Security Hotspot is raised when an understanding of the larger context is required to understand whether there’s really a problem or it’s okay. If it’s okay, you can just mark it “Safe” and move on. If there’s really a problem - and the rule description should help you determine that - then you’ll need to add some additional safeguards around the code or perhaps change it wholesale. And again, the rule description should be helpful there in figuring out what needs to happen.

HTH,
Ann

Topic		Replies	Views
False positive regex DoS vulnerability? SonarQube Server / Community Build sonarqube	3	7536	October 13, 2023
New Security Hotspot for Regular Expressions in .NET Sonar Updates sonarqube , dotnet , sonarqube-ide , sonarqube-cloud	1	740	December 23, 2022
FPs Security Hotspot S5852 (polynomial runtime regex) Report False-positive / False-negative... java , security-hotspot	4	10863	November 26, 2022
Security hot Spot issue in Sonar Qube 7.6 SonarQube Server / Community Build sonarqube , security-hotspot	1	524	November 14, 2019
Regular expression in Javascript SonarQube Server / Community Build	3	689	March 4, 2021

Denial Of Services Java Regex Pattern

Related topics