javascript:S4784 Using regular expressions is security-sensitive should acknowledge literal characters

wjaspers · March 2, 2021, 9:37pm

Sonar version 7.9.
I’m unaware of other versions in use as I dont have control over them.

Example code

const expr = /\*+/g;
inputStr.replace(expr, '*');

Expected behavior: the rule is not triggered because the asterisk is a literal character.

Current behavior: the rule is triggered because the * asterisk AND + both appear in the expression, raising the rule’s counter to the threshold of 2.

saberduck · May 28, 2021, 8:47am

hello @wjaspers ,

indeed, this hotspot rule was a bit noisy, that’s why it’s deprecated now. We plan to bring new rules about regexp in JavaScript in the future versions.

system · August 30, 2021, 1:02pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
javascript:S4817 reports on literals Report False-positive / False-negative... javascript	2	486	January 31, 2020
ReDoS (Regular Expression Denial of Service, S4784) detection could be smarter Report False-positive / False-negative... security	2	1656	June 18, 2020
FP S6324: Regular expressions should not contain control characters Report False-positive / False-negative... typescript	1	44	February 13, 2025
javascript:S3786 Report False-positive / False-negative... javascript	6	529	June 28, 2022
Sonarlint python:S5361 Report False-positive / False-negative... python , false-positive , rules	5	1545	March 25, 2022

javascript:S4784 Using regular expressions is security-sensitive should acknowledge literal characters

Related topics