Scala Redos With Untrusted Input
Description
Detects potential Regular Expression Denial of Service (ReDoS) vulnerabilities in Scala code where untrusted input could be used in regular expressions. ReDoS attacks can cause severe performance issues by exploiting poorly constructed regular expressions to cause exponential evaluation time.
Detection Strategy
• Identifies creation of regex pattern objects that may process untrusted input
• Detects calls to regex matching methods that could handle untrusted data
• Reports when regular expressions are used without proper input validation or sanitization
• Checks for common regex pattern compilation and matching methods in Scala
• Focuses on both direct regex object creation and method calls that process regular expressions
Vulnerable code example
import scala.util.matching.Regex
class RegexController {
def processUserInput(pattern: String, input: String): Boolean = {
// VULNERABLE: Directly using untrusted user input as regex pattern can lead to ReDoS
val regex = new Regex(pattern)
regex.findFirstIn(input).isDefined
}...✅ Secure code example
import scala.util.matching.Regex
import java.util.regex.Pattern
class RegexController {
def processUserInput(pattern: String, input: String): Boolean = {
// Secure: Escape untrusted pattern using Pattern.quote to prevent ReDoS
val safePattern = Pattern.quote(pattern)
val regex = new Regex(safePattern)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.