Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it safe to use user's RegEx?

Tags:

regex

php

user-input

preg-match

code-injection

I want to add a feature to my website to let users search the texts with RegEx. But, is it safe to let the users do something like that ?

preg_match('/' . $user_input_regex . '/', $subject);
like image 379
Sdgsdg Asgasgf Avatar asked Jul 19 '14 14:07

Sdgsdg Asgasgf

People also ask

Is regex secure?

A bad regex pattern can lead to low performance or even erroneous results. But can it also lead to vulnerabilities? Poorly designed regex patterns are actually a big source of vulnerabilities in modern web applications. They can lead to failed input validation, leaky firewalls, and even denial of service attacks.

Is regex good to use?

Regular expressions (or regex) are incredibly helpful tools to have at your disposal as a software developer, but they're often dangerous tools.

What is regex in cyber security?

At its most basic, a regular expression (or "regex") is just a string that describes a pattern to be matched. For example, imagine a program scanning lines in one or more files, looking for lines that contain the regular expression pattern of interest. When it finds a line with that pattern, it prints that line out.

Is regex still used?

Despite being hard to read, hard to validate, hard to document and notoriously hard to master, regexes are still widely used today. Supported by all modern programming languages, text processing programs and advanced text editors, regexes are now used in more than a third of both Python and JavaScript projects.

1 Answers

There is a possible attack on this code called a ReDoS attack (Regular expression Denial of Service).

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.

Specifically with preg_match there is a known issue that can cause a PHP Segmentation Fault.

So the answer is no, it is not safe because of issues such as these.

like image 148
SilverlightFox Avatar answered Sep 29 '22 13:09

SilverlightFox
Sign in to Comment

Related questions

How to translate this Math Formula in Haskell or Python? (Was translated in PHP)
PHP How to return datetime(6) from Mysql?
Generate android apk using shell script from php?
Using MX records to validate email addresses
Add a new page to WordPress using a plugin
Is there any way to integrate OpenCV with PHP?
why is $_REQUEST empty
Upload to PHP server from c sharp client application
How to manage/balance semi persistent jobs over service instances
Laravel 5 file downloads: stream() or download()
XDebug on port 9000 with a virtual machine - EADDRINUSE :::9000
Is there a free/open-source equivalent of mailing list managers such as MailChimp or ConstantContact, etc..?
How can I disable auto_prepend in specific folders using htaccess?
How can I figure out why cURL is hanging and unresponsive?
Can't install PHPUnit via PEAR, requires PEAR Installer >= 1.9.2, can't upgrade PEAR from 1.9.0
Pretty URLs in PHP frameworks
PHP write binary response
Zend Framework 2: Auto disable layout for ajax calls
RabbitMQ wait for multiple queues to finish
Why, in general, are nested block comments NOT allowed? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!