2021年12月12日05:45:12评论146 views字数 2257阅读7分31秒阅读模式

CWE-777 没有下界集合的正则表达式

Regular Expression without Anchors

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: Medium

基本描述

The software uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.

扩展描述

When performing tasks such as whitelist validation, data is examined and possibly modified to ensure that it is well-formed and adheres to a list of safe values. If the regular expression is not anchored, malicious or malformed data may be included before or after any string matching the regular expression. The type of malicious data that is allowed will depend on the context of the application and which anchors are omitted from the regular expression.

常见的影响

范围	影响	注释
['Availability', 'Confidentiality', 'Access Control']	Bypass Protection Mechanism	An unanchored regular expression in the context of a whitelist will possibly result in a protection mechanism failure, allowing malicious or malformed data to enter trusted regions of the program. The specific consequences will depend on what functionality the whitelist was protecting.

可能的缓解方案

Implementation

策略:

Be sure to understand both what will be matched and what will not be matched by a regular expression. Anchoring the ends of the expression will allow the programmer to define a whitelist strictly limited to what is matched by the text in the regular expression. If you are using a package that only matches one line by default, ensure that you can match multi-line inputs if necessary.

示例代码

例

Consider a web application that supports multiple languages. It selects messages for an appropriate language by using the lang parameter.

bad PHP

$dir = "/home/cwe/languages";
$lang = $_GET['lang'];
if (preg_match("/[A-Za-z0-9]+/", $lang)) {

include("$dir/$lang");

}
else {

echo "You shall not pass!n";

}

The previous code attempts to match only alphanumeric values so that language values such as "english" and "french" are valid while also protecting against path traversal, CWE-22. However, the regular expression anchors are omitted, so any text containing at least one alphanumeric character will now pass the validation step. For example, the attack string below will match the regular expression.

attack

../../etc/passwd

If the attacker can inject code sequences into a file, such as the web server's HTTP request log, then the attacker may be able to redirect the lang parameter to the log file and execute arbitrary code.

文章来源于互联网:scap中文网

左青龙
微信扫一扫

右白虎
微信扫一扫

CWE-777 没有下界集合的正则表达式

CWE-777 没有下界集合的正则表达式

Regular Expression without Anchors

基本描述

扩展描述

相关缺陷

常见的影响

可能的缓解方案

Implementation

示例代码

例

View-999: Weaknesses without Software Fault Patterns

View-884: CWE Cross-section

View-868: Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version)

View-844: Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011)

View-809: Weaknesses in OWASP Top Ten (2010)

View-800: Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

View-750: Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors

View-734: Weaknesses Addressed by the CERT C Secure Coding Standard (2008)

View-711: Weaknesses in OWASP Top Ten (2004)

View-709: Named Chains

发表评论

在线咨询

微信