regular-expression-dos-infinite-timeout
regular-expression-dos-infinite-timeout
Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the “Notes to Callers” section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-1333: Inefficient Regular Expression Complexity
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-
- -
-
- I
- n
- j
- e
- c
- t
- i
- o
- n
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-1333: Inefficient Regular Expression Complexity
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-
- -
-
- I
- n
- j
- e
- c
- t
- i
- o
- n
regular-expression-dos
regular-expression-dos
When using
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-1333: Inefficient Regular Expression Complexity
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-
- -
-
- I
- n
- j
- e
- c
- t
- i
- o
- n
System.Text.RegularExpressions
to process untrusted input, pass a timeout. A malicious user can provide input to RegularExpressions
that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attackLikelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-1333: Inefficient Regular Expression Complexity
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-
- -
-
- I
- n
- j
- e
- c
- t
- i
- o
- n