New Security Hotspot for Regular Expressions in .NET

Tom_Howlett · December 22, 2022, 11:08am

Hi .NET Folks

We are happy to announce that we have a new security hotspot for C# and VB.NET that will raise an issue if your regular expression does not specify a timeout. Regular expressions can be vulnerable to denial-of-service attacks, so if the input is untrusted and your regular expression might be vulnerable to catastrophic backtracking it’s important to include a timeout to protect your application. A huge thank you goes to open-source contributor @Corniel for his work on this.

This is now available on SonarCloud and will be included in the upcoming SonarQube 9.9 as well as in the next release of SonarLint.

That’s our last .NET release for 2022, see you in the new year!

Tom

Corniel · December 23, 2022, 1:18pm

It was great fun creating this one. There other rules (implemented both for Java and PHP) about regexes and how they could be improved. may be I’ll investigate them the next year.

Topic		Replies	Views
Denial Of Services Java Regex Pattern SonarQube Server / Community Build sonarqube	1	796	May 13, 2024
RegEx evaluation should have a time out specified New rules / language support csharp , vbnet	6	7804	June 20, 2022
False positive regex DoS vulnerability? SonarQube Server / Community Build sonarqube	3	7923	October 13, 2023
Process wide setting for RegEx match timeout is ignored Report False-positive / False-negative... csharp , regex	8	1582	February 3, 2024
Regular expression in Javascript SonarQube Server / Community Build	3	691	March 4, 2021

New Security Hotspot for Regular Expressions in .NET

Related topics