I am using split function, but getting an issue in fortify.
Denial of Service: Regular Expression. Please find the sample code below.
String service = "abc"
String accessUrl= "https://www.google.com/abc/def"
String urlStringPart= accessUrl.split(service + "/")[1];
OK, so it looks like Fortify has concluded that
service
could be injected from some request parameter. That's not possible if the real code is equivalent to what you have shown us.On the other hand ...
If
service
did come from a request parameter ... or something else that a remote user could inject ... then there is a real risk of a denial of service attack. The issue is the argument to split is a regex not just a simple string. The bad guy could inject any regex there, including a regex that is carefully crafted to trigger catastrophic backtracking. This could waste a lot of CPU ...As noted: one fix is to use
Pattern.quote(service)
so that the bad guy can't inject a regex.