Hi .NET Folks
We are happy to announce that we have a new security hotspot for C# and VB.NET that will raise an issue if your regular expression does not specify a timeout. Regular expressions can be vulnerable to denial-of-service attacks, so if the input is untrusted and your regular expression might be vulnerable to catastrophic backtracking it’s important to include a timeout to protect your application. A huge thank you goes to open-source contributor @Corniel for his work on this.
This is now available on SonarCloud and will be included in the upcoming SonarQube 9.9 as well as in the next release of SonarLint.
That’s our last .NET release for 2022, see you in the new year!