Python User Input In Regex
Description
Detects potential Regular Expression Denial of Service (ReDoS) vulnerabilities in Python code where user input is directly used in regular expression functions. When untrusted user input is used in regex patterns, maliciously crafted input could cause excessive backtracking leading to denial of service.
Detection Strategy
• Identifies calls to Python regex functions: re.match, re.findall, or re.search
• Checks if the first argument to these regex functions contains or is derived from user input
• Reports a vulnerability when user-controlled data flows into the pattern parameter of regex functions
• Focuses on direct function calls where the regex pattern argument comes from user input
Vulnerable code example
from flask import request
import re
def validate_user_input(email: str):
# Vulnerable: Unsanitized user input used directly in regex pattern
user_pattern = request.args["pattern"]
re.search(user_pattern, email)
...✅ Secure code example
from flask import request
import re
def validate_user_input(email: str):
# Safe: Escape user input before using in regex pattern
user_pattern = re.escape(request.args["pattern"])
re.search(user_pattern, email)
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.