ByteOS Network

CWE-625:Permissive Regular Expression

Weakness ID:625

Version:v4.17

Weakness Name:Permissive Regular Expression

Vulnerability Mapping:Allowed

Abstraction:Base

Structure:Simple

Status:Draft

Details Content History Observed CVE Examples Reports

▼Description

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

▼Extended Description

This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include:

not identifying the beginning and end of the target string

using wildcards instead of acceptable character ranges

others

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Allowed-with-Review	C	185	Incorrect Regular Expression
ParentOf	Allowed	V	777	Regular Expression without Anchors
PeerOf	Allowed	V	187	Partial String Comparison
PeerOf	Allowed	B	184	Incomplete List of Disallowed Inputs
PeerOf	Allowed	B	183	Permissive List of Allowed Inputs

Nature: ChildOf

Mapping: Allowed-with-Review

Type: Class

ID: 185

Name: Incorrect Regular Expression

Nature: ParentOf

Mapping: Allowed

Type: Variant

ID: 777

Name: Regular Expression without Anchors

Nature: PeerOf

Mapping: Allowed

Type: Variant

ID: 187

Name: Partial String Comparison

Nature: PeerOf

Mapping: Allowed

Type: Base

ID: 184

Name: Incomplete List of Disallowed Inputs

Nature: PeerOf

Mapping: Allowed

Type: Base

ID: 183

Name: Permissive List of Allowed Inputs

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	19	Data Processing Errors
MemberOf	Prohibited	C	845	The CERT Oracle Secure Coding Standard for Java (2011) Chapter 2 - Input Validation and Data Sanitization (IDS)
MemberOf	Prohibited	C	990	SFP Secondary Cluster: Tainted Input to Command
MemberOf	Prohibited	C	1397	Comprehensive Categorization: Comparison

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 19

Name: Data Processing Errors

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 845

Name: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 2 - Input Validation and Data Sanitization (IDS)

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 990

Name: SFP Secondary Cluster: Tainted Input to Command

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1397

Name: Comprehensive Categorization: Comparison

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-250	Weaknesses in Software Written in Perl
MemberOf	Prohibited	BS	BOSS-316	Bypass Protection Mechanism (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-250

Name: Weaknesses in Software Written in Perl

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-316

Name: Bypass Protection Mechanism (impact)

▼Relevant To View

Relevant to the view"Software Development - (699)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	19	Data Processing Errors

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 19

Name: Data Processing Errors

Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	990	SFP Secondary Cluster: Tainted Input to Command

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 990

Name: SFP Secondary Cluster: Tainted Input to Command

▼Common Consequences

Scope	Likelihood	Impact	Note
Access Control	N/A	Bypass Protection Mechanism	N/A

Scope: Access Control

Likelihood: N/A

Impact: Bypass Protection Mechanism

Note:

N/A

▼Potential Mitigations

Phase:Implementation

Description:

When applicable, ensure that the regular expression marks beginning and ending string patterns, such as "/^string$/" for Perl.

▼Modes Of Introduction

Phase: Implementation

Note:

This problem is frequently found when the regular expression is used in input validation or security features such as authentication.

▼Applicable Platforms

Languages

Perl(Undetermined Prevalence)

PHP(Undetermined Prevalence)

▼Demonstrative Examples

Example 1

The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers.

Language: Perl(Bad code)

$phone = GetPhoneNumber(); if ($phone =~ /\d+-\d+/) { # looks like it only has hyphens and digits* system("lookup-phone $phone");} else { error("malformed number!"); }

An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression.

Example 2

This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command.

Language: Python(Bad code)

import subprocess import re def validate_ip_regex(ip: str): ip_validator = re.compile(r"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}") if ip_validator.match(ip): return ip else: raise ValueError("IP address does not match valid pattern.") def run_ping_regex(ip: str): validated = validate_ip_regex(ip) # The ping command treats zero-prepended IP addresses as octal* result = subprocess.call(["ping", validated]) print(result)

Since the regular expression does not have anchors (CWE-777), i.e. is unbounded without ^ or $ characters, then prepending a 0 or 0x to the beginning of the IP address will still result in a matched regex pattern. Since the ping command supports octal and hex prepended IP addresses, it will use the unexpectedly valid IP address (CWE-1389). For example, "0x63.63.63.63" would be considered equivalent to "99.63.63.63". As a result, the attacker could potentially ping systems that the attacker cannot reach directly.

▼Observed Examples

Reference	Description
CVE-2021-22204	Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV.
CVE-2006-1895	".*" regexp leads to static code injection
CVE-2002-2175	insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.
CVE-2006-4527	regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.
CVE-2005-1949	Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
CVE-2002-2109	Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
CVE-2006-6511	regexp in .htaccess file allows access of files whose names contain certain substrings
CVE-2006-6629	allow load of macro files whose names contain certain substrings.

Reference: CVE-2021-22204

Description:

Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV.

Reference: CVE-2006-1895

Description:

".*" regexp leads to static code injection

Reference: CVE-2002-2175

Description:

insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.

Reference: CVE-2006-4527

Description:

regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.

Reference: CVE-2005-1949

Description:

Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.

Reference: CVE-2002-2109

Description:

Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.

Reference: CVE-2006-6511

Description:

regexp in .htaccess file allows access of files whose names contain certain substrings

Reference: CVE-2006-6629

Description:

allow load of macro files whose names contain certain substrings.

▼Weakness Ordinalities

Ordinality	Description
Primary	N/A

Ordinality: Primary

Description:

N/A

▼Detection Methods

Automated Static Analysis

Detection Method ID:DM-14

Description:

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness:High

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Fit	Entry Name
The CERT Oracle Secure Coding Standard for Java (2011)	IDS08-J	N/A	Sanitize untrusted data passed to a regex

Taxonomy Name: The CERT Oracle Secure Coding Standard for Java (2011)

Entry ID: IDS08-J

Fit: N/A

Entry Name: Sanitize untrusted data passed to a regex

▼References

Reference ID: REF-62

Title: The Art of Software Security Assessment

Author: Mark Dowd, John McDonald, Justin Schuh

Section: Chapter 8, "Character Stripping Vulnerabilities", Page 437

Publication:

Publisher:Addison Wesley

Edition:1st Edition

Day:N/A

Month:N/A

Year:2006