CWE-625 宽松定义的正则表达式
Permissive Regular Expression
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
The product uses a regular expression that does not sufficiently restrict the set of allowed values.
扩展描述
This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include:
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 185 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 185 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: PeerOf cwe_CWE_ID: 187 cwe_View_ID: 1000
-
cwe_Nature: PeerOf cwe_CWE_ID: 184 cwe_View_ID: 1000
-
cwe_Nature: PeerOf cwe_CWE_ID: 183 cwe_View_ID: 1000
适用平台
Language: [{'cwe_Name': 'Perl', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'PHP', 'cwe_Prevalence': 'Undetermined'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | Bypass Protection Mechanism |
可能的缓解方案
Implementation
策略:
When applicable, ensure that the regular expression marks beginning and ending string patterns, such as "/^string$/" for Perl.
示例代码
例
The following example demonstrates the weakness.
bad Perl
if ($phone =~ /\d+-\d+/) {
# looks like it only has hyphens and digits
system("lookup-phone $phone");
else {
An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2006-1895 | ".*" regexp leads to static code injection | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1895 |
| CVE-2002-2175 | insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2175 |
| CVE-2006-4527 | regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4527 |
| CVE-2005-1949 | Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1949 |
| CVE-2002-2109 | Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2109 |
| CVE-2006-6511 | regexp in .htaccess file allows access of files whose names contain certain substrings | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6511 |
| CVE-2006-6629 | allow load of macro files whose names contain certain substrings. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6629 |
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| The CERT Oracle Secure Coding Standard for Java (2011) | IDS08-J | Sanitize untrusted data passed to a regex |