{"@ID": "625", "@Name": "Permissive Regular Expression", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product uses a regular expression that does not sufficiently restrict the set of allowed values.", "Extended_Description": {"xhtml:p": "This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include:", "xhtml:ul": {"xhtml:li": ["not identifying the beginning and end of the target string", "using wildcards instead of acceptable character ranges", "others"]}}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "185", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "PeerOf", "@CWE_ID": "187", "@View_ID": "1000"}, {"@Nature": "PeerOf", "@CWE_ID": "184", "@View_ID": "1000"}, {"@Nature": "PeerOf", "@CWE_ID": "183", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": [{"@Name": "Perl", "@Prevalence": "Undetermined"}, {"@Name": "PHP", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation", "Note": "This problem is frequently found when the regular expression is used in input validation or security features such as authentication."}}, "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": "Bypass Protection Mechanism"}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Implementation", "Description": "When applicable, ensure that the regular expression marks beginning and ending string patterns, such as \"/^string$/\" for Perl."}}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-37", "Intro_Text": "The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers.", "Example_Code": {"@Nature": "Bad", "@Language": "Perl", "xhtml:div": {"xhtml:br": [null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:i": "# looks like it only has hyphens and digits", "xhtml:br": null, "#text": "system(\"lookup-phone $phone\");"}, {"@style": "margin-left:1em;", "#text": "error(\"malformed number!\");"}], "#text": "$phone = GetPhoneNumber();if ($phone =~ /\\d+-\\d+/) {}\n                     else {}"}}, "Body_Text": "An attacker could provide an argument such as: \"; ls -l ; echo 123-456\" This would pass the check, since \"123-456\" is sufficient to match the \"\\d+-\\d+\" portion of the regular expression."}, {"@Demonstrative_Example_ID": "DX-154", "Intro_Text": "This code uses a regular expression to validate an IP string prior to using it in a call to the \"ping\" command.", "Example_Code": {"@Nature": "Bad", "@Language": "Python", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "return ip"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "raise ValueError(\"IP address does not match valid pattern.\")"}], "#text": "ip_validator = re.compile(r\"((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}\")\n\t\t    if ip_validator.match(ip):\n\t\t    \n\t\t    else:"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null], "xhtml:i": "# The ping command treats zero-prepended IP addresses as octal", "#text": "validated = validate_ip_regex(ip)\n\t\t    \n\t\t    result = subprocess.call([\"ping\", validated])\n\t\t    print(result)"}], "#text": "import subprocess\n\t\t  import re\n\t\t  \n\t\t  def validate_ip_regex(ip: str):\n\t\t  \n\t\t  \n\t\t  def run_ping_regex(ip: str):"}}, "Body_Text": "Since the regular expression does not have anchors (CWE-777), i.e. is unbounded without ^ or $ characters, then prepending a 0 or 0x to the beginning of the IP address will still result in a matched regex pattern. Since the ping command supports octal and hex prepended IP addresses, it will use the unexpectedly valid IP address (CWE-1389). For example, \"0x63.63.63.63\" would be considered equivalent to \"99.63.63.63\". As a result, the attacker could potentially ping systems that the attacker cannot reach directly."}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2021-22204", "Description": "Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV.", "Link": "https://www.cve.org/CVERecord?id=CVE-2021-22204"}, {"Reference": "CVE-2006-1895", "Description": "\".*\" regexp leads to static code injection", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-1895"}, {"Reference": "CVE-2002-2175", "Description": "insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-2175"}, {"Reference": "CVE-2006-4527", "Description": "regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-4527"}, {"Reference": "CVE-2005-1949", "Description": "Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1949"}, {"Reference": "CVE-2002-2109", "Description": "Regexp isn't \"anchored\" to the beginning or end, which allows spoofed values that have trusted values as substrings.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-2109"}, {"Reference": "CVE-2006-6511", "Description": "regexp in .htaccess file allows access of files whose names contain certain substrings", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-6511"}, {"Reference": "CVE-2006-6629", "Description": "allow load of macro files whose names contain certain substrings.", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-6629"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "IDS08-J", "Entry_Name": "Sanitize untrusted data passed to a regex"}}, "References": {"Reference": {"@External_Reference_ID": "REF-62", "@Section": "Chapter 8, \"Character Stripping Vulnerabilities\", Page 437"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2007-05-07", "Submission_Version": "Draft 6", "Submission_ReleaseDate": "2007-05-07"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Applicable_Platforms, Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-07-27", "Modification_Version": "1.5", "Modification_ReleaseDate": "2009-07-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-06-23", "Modification_Version": "2.7", "Modification_ReleaseDate": "2014-06-23", "Modification_Comment": "updated Modes_of_Introduction, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-06-28", "Modification_Version": "4.8", "Modification_ReleaseDate": "2022-06-28", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}]}}
