CWE-186: Overly Restrictive Regular Expression
Learn about CWE-186 (Overly Restrictive Regular Expression), its security impact, exploitation methods, and prevention guidelines.
What is Overly Restrictive Regular Expression?
• Overview: A CWE-186 vulnerability occurs when a regular expression is too restrictive, failing to match all intended values, thereby missing potentially dangerous inputs or false positives. This is not about complexity but about incorrect matching scope, such as using /[0-8]/ instead of /[0-9]/.
• Exploitation Methods:
- Attackers can bypass validation or filtering mechanisms by exploiting the regular expression's failure to detect certain inputs.
- Common attack patterns include injecting malicious input that is not detected due to the overly restrictive nature of the regex.
• Security Impact:
- Direct consequences include the failure to filter or validate input correctly, allowing harmful data to pass through.
- Potential cascading effects involve enabling further attacks like SQL injection, XSS, or data corruption.
- Business impact can be significant, including data breaches, loss of customer trust, and compliance issues.
• Prevention Guidelines:
- Specific code-level fixes involve ensuring regular expressions match the full range of intended values, using comprehensive test cases.
- Security best practices include thorough validation and verification of regex patterns and understanding the scope of inputs.
- Recommended tools and frameworks include using regex testing tools and linters to validate and optimize regular expressions.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
JavaScript Example
// Vulnerable code using an overly restrictive regular expression to validate email addresses.
// This regular expression may reject valid email addresses that do not strictly conform to its limited pattern.
function isValidEmail(email) {
const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\$/; // Limited regex pattern
return emailRegex.test(email);
}
console.log(isValidEmail("user@example.com")); // true
console.log(isValidEmail("user.name+tag+sorting@example.com")); // false, but should be true
Explanation
The regular expression used in the above code is overly restrictive because it does not account for all valid variations of email addresses, such as those with special characters or subdomains. This can lead to false negatives where valid emails are incorrectly rejected.
How to fix Overly Restrictive Regular Expression?
Fixed Code Example
// Fixed code using the `validator` library, which is well-tested and handles comprehensive email validation.
const validator = require('validator'); // Importing a library for robust email validation
function isValidEmail(email) {
return validator.isEmail(email); // Utilizes a comprehensive validation function
}
console.log(isValidEmail("user@example.com")); // true
console.log(isValidEmail("user.name+tag+sorting@example.com")); // true, correctly handled now
Explanation
In this fixed example, we replaced the overly restrictive custom regex with a call to validator.isEmail(email), leveraging a proven library to handle email validation. This approach not only simplifies the code but also ensures it adheres to the standard email format specifications and is updated to handle new edge cases as they arise. Using a library like validator.js is a best practice because it reduces the likelihood of errors and maintenance overhead associated with custom regex solutions.