C Sharp Untrusted Input In Regex
Description
Detects potential Regular Expression Denial of Service (ReDoS) vulnerabilities in C# code where untrusted input is used directly in regular expressions. An attacker could craft malicious input that causes the regex engine to process patterns inefficiently, leading to excessive CPU consumption and application delays.
Detection Strategy
• Identifies calls to C# Regex.Match() method in the code
• Checks if the pattern parameter passed to Regex.Match() contains or is derived from untrusted input (like user input, request parameters, or file content)
• Reports a vulnerability when untrusted/unsanitized data flows into the regex pattern parameter
Vulnerable code example
using System;
using System.Text.RegularExpressions;
public class Validator
{
public bool ValidateInput(string userInput)
{
// VULNERABLE: Direct use of unvalidated input in regex pattern can lead to ReDoS...✅ Secure code example
using System;
using System.Text.RegularExpressions;
public class Validator
{
public bool ValidateInput(string userInput)
{
try {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.