CWE-185: Incorrect Regular Expression

CWE-185: Incorrect Regular Expression | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers.

Vulnerable example

perl

$phone = GetPhoneNumber();

An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression.

This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command.

Vulnerable example

python

import subprocess

Since the regular expression does not have anchors (CWE-777), i.e. is unbounded without ^ or $ characters, then prepending a 0 or 0x to the beginning of the IP address will still result in a matched regex pattern. Since the ping command supports octal and hex prepended IP addresses, it will use the unexpectedly valid IP address (CWE-1389). For example, "0x63.63.63.63" would be considered equivalent to "99.63.63.63". As a result, the attacker could potentially ping systems that the attacker cannot reach directly.

CWE-185: Incorrect Regular Expression

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-185?

What CVEs are caused by CWE-185?

How do you prevent CWE-185?

How is CWE-185 detected?

What are the consequences of CWE-185?

Is CWE-185 actively exploited?

References

Stay ahead of CWE-185

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Can precede

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-185?

What CVEs are caused by CWE-185?

How do you prevent CWE-185?

How is CWE-185 detected?

What are the consequences of CWE-185?

Is CWE-185 actively exploited?

References

Stay ahead of CWE-185