The product uses a regular expression that does not sufficiently restrict the set of allowed values.
This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include: not identifying the beginning and end of the target string using wildcards instead of acceptable character ranges others
Threat Mapped score: 0.0
Industry: Finiancial
Threat priority: Unclassified
CVE: CVE-2021-22204 — KEV
Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV.
CVE: CVE-2006-1895
".*" regexp leads to static code injection
CVE: CVE-2002-2175
insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.
CVE: CVE-2006-4527
regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.
CVE: CVE-2005-1949
Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
CVE: CVE-2002-2109
Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
CVE: CVE-2006-6511
regexp in .htaccess file allows access of files whose names contain certain substrings
CVE: CVE-2006-6629
allow load of macro files whose names contain certain substrings.
N/A
N/A
| Phase | Note |
|---|---|
| Implementation | This problem is frequently found when the regular expression is used in input validation or security features such as authentication. |
Intro: The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers.
Body: An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression.
$phone = GetPhoneNumber(); if ($phone =~ /\d+-\d+/) { # looks like it only has hyphens and digits system("lookup-phone $phone"); } else { error("malformed number!"); }Intro: This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command.
Body: Since the regular expression does not have anchors (CWE-777), i.e. is unbounded without ^ or $ characters, then prepending a 0 or 0x to the beginning of the IP address will still result in a matched regex pattern. Since the ping command supports octal and hex prepended IP addresses, it will use the unexpectedly valid IP address (CWE-1389). For example, "0x63.63.63.63" would be considered equivalent to "99.63.63.63". As a result, the attacker could potentially ping systems that the attacker cannot reach directly.
import subprocess import re def validate_ip_regex(ip: str): ip_validator = re.compile(r"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}") if ip_validator.match(ip): return ip else: raise ValueError("IP address does not match valid pattern.") def run_ping_regex(ip: str): validated = validate_ip_regex(ip) # The ping command treats zero-prepended IP addresses as octal result = subprocess.call(["ping", validated]) print(result)