Corgea LogoCorgea Security Hub

CWE-624: Executable Regular Expression Error

Learn about CWE-624 (Executable Regular Expression Error), its security impact, exploitation methods, and prevention guidelines.

What is Executable Regular Expression Error?

• Overview: Executable Regular Expression Error (CWE-624) occurs when a regular expression includes components that can be executed with user-controlled inputs or allows users to enable execution through pattern modifiers. This can lead to unintended command execution or code injection, particularly in languages like PHP and Perl.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by injecting malicious inputs into regular expressions that are executed by the application.
  • Common attack patterns include inserting pattern modifiers or executable code segments within user inputs to manipulate the regular expression engine.

• Security Impact:

  • Direct consequences of successful exploitation include arbitrary code execution, unauthorized access, and data leaks.
  • Potential cascading effects can lead to complete system compromise and further exploitation of other vulnerabilities.
  • Business impact involves reputational damage, data breaches, financial loss, and regulatory penalties.

• Prevention Guidelines:

  • Specific code-level fixes include avoiding the use of executable components within regular expressions and ensuring user inputs are properly sanitized.
  • Security best practices involve validating and escaping user inputs, using non-executable regular expressions, and avoiding the use of pattern modifiers that can enable execution.
  • Recommended tools and frameworks include static analysis tools to detect such vulnerabilities and using regular expression libraries that enforce execution safety.
Corgea can automatically detect and fix Executable Regular Expression Error in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: PHP, Perl

Affected Technologies: Not specified

Vulnerable Code Example

PHP Example

// Example of a vulnerable regular expression usage in PHP

// User input is taken from a query parameter
\$userInput = \$_GET['pattern'];

// The input is directly included as part of the regular expression, leaving it open to execution
if (preg_match("/\$userInput/", "some test string")) { 
    echo "Pattern matched!";
} else {
    echo "No match.";
}

Explanation of Vulnerability

  • Vulnerability: The regular expression pattern \$userInput is directly constructed from user-controlled input without any validation or sanitization. This can lead to security issues where an attacker might insert pattern modifiers or executable content into the regex. Such unvalidated input could cause denial of service through excessive resource consumption or other unintended behavior due to complex patterns.

How to fix Executable Regular Expression Error?

To fix this vulnerability, it's crucial to sanitize and validate any user-controlled input that is intended to be used in constructing regular expressions. Here are the steps you should take:

  1. Sanitize User Input: Use a whitelist approach to ensure only expected characters are allowed in the regex pattern. This can prevent malicious input from executing unintended regex operations.
  2. Use Boundaries in Regex: If applicable, add specific boundaries to limit the potential impact of the regex pattern.
  3. Strict Pattern Validation: Explicitly define the allowed patterns and reject any input that does not conform to these patterns.
  4. Escape Special Characters: Use functions like preg_quote() to escape special characters in user input, preventing them from being interpreted as regex operators.

Fixed Code Example

// Fixed version of the code with proper input validation and sanitization

// User input from a query parameter
\$userInput = \$_GET['pattern'];

// Sanitize and validate the user input
// Allow only alphanumeric characters and basic regex symbols like dots and asterisks
\$safePattern = preg_replace('/[^a-zA-Z0-9.*]/', '', \$userInput);

// Escape special regex characters to prevent execution or modification
\$safePattern = preg_quote(\$safePattern, '/');

// Use the sanitized and safely quoted pattern in the regex
if (preg_match("/\$safePattern/", "some test string")) { 
    echo "Pattern matched!";
} else {
    echo "No match.";
}

Explanation of Fixes

  • Regex Sanitization: The input pattern is sanitized to allow only alphanumeric characters and basic regex symbols like dots and asterisks, ensuring that no harmful modifiers or constructs are introduced.
  • Escaping Special Characters: The preg_quote() function is used to escape any remaining special characters, which prevents them from being interpreted as part of the regex pattern.
  • Controlled Execution: By controlling the input to the regex, the risk of executable regex errors is significantly reduced, preventing potential misuse or denial of service attacks.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-624: Executable Regular Expression Error and get remediation guidance

Start for free and no credit card needed.