New Security Hotspot for Regular Expressions in .NET

Hi .NET Folks :slightly_smiling_face:

We are happy to announce that we have a new security hotspot for C# and VB.NET that will raise an issue if your regular expression does not specify a timeout. Regular expressions can be vulnerable to denial-of-service attacks, so if the input is untrusted and your regular expression might be vulnerable to catastrophic backtracking it’s important to include a timeout to protect your application. A huge thank you goes to open-source contributor @Corniel for his work on this.

This is now available on SonarCloud and will be included in the upcoming SonarQube 9.9 as well as in the next release of SonarLint.

That’s our last .NET release for 2022, see you in the new year! :tada:


1 Like

It was great fun creating this one. There other rules (implemented both for Java and PHP) about regexes and how they could be improved. may be I’ll investigate them the next year.

1 Like