fortify Denial of Service: Regular Expression

2.2k views Asked by At

I am using split function, but getting an issue in fortify.

Denial of Service: Regular Expression. Please find the sample code below.

String service = "abc"
String accessUrl= "https://www.google.com/abc/def"
String urlStringPart= accessUrl.split(service + "/")[1];
1

There are 1 answers

1
Stephen C On BEST ANSWER

OK, so it looks like Fortify has concluded that service could be injected from some request parameter. That's not possible if the real code is equivalent to what you have shown us.

On the other hand ...

If service did come from a request parameter ... or something else that a remote user could inject ... then there is a real risk of a denial of service attack. The issue is the argument to split is a regex not just a simple string. The bad guy could inject any regex there, including a regex that is carefully crafted to trigger catastrophic backtracking. This could waste a lot of CPU ...

As noted: one fix is to use Pattern.quote(service) so that the bad guy can't inject a regex.