Java Redos User Input In Compile
Description
This detector identifies Regular Expression Denial of Service (ReDoS) vulnerabilities in Java applications where user-controlled input is used in regex Pattern.compile() operations. ReDoS attacks exploit inefficient regular expressions to cause excessive CPU consumption and potential denial of service by providing maliciously crafted input that triggers catastrophic backtracking.
Detection Strategy
• Java code imports java.util.regex.Pattern or java.util.regex.* libraries
• Code contains a method call to 'matcher' on a Pattern object
• The Pattern object was created using Pattern.compile() with unsafe parameters (vulnerable regex patterns)
• The first argument to the matcher() call contains user-controlled input that can be manipulated by attackers
Vulnerable code example
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import org.springframework.web.bind.annotation.*;
@RestController
public class RegexController {
// User-controlled pattern creates ReDoS vulnerability...✅ Secure code example
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import org.springframework.web.bind.annotation.*;
@RestController
public class RegexController {
// User input sanitized with Pattern.quote() to prevent ReDoS...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.