英文:
fortify Denial of Service: Regular Expression
问题
我正在使用split函数,但在使用fortify时遇到了问题。
拒绝服务:正则表达式。以下是示范代码。
String service = "abc"
String accessUrl= "https://www.google.com/abc/def"
String urlStringPart= accessUrl.split(service + "/")[1];
英文:
I am using split function, but getting an issue in fortify.
Denial of Service: Regular Expression. Please find the sample code below.
String service = "abc"
String accessUrl= "https://www.google.com/abc/def"
String urlStringPart= accessUrl.split(service + "/")[1];
答案1
得分: 2
好的,看起来Fortify已经得出结论,service 可能是从某个请求参数中注入的。如果真实代码等同于您所展示的代码,则这是不可能的。
另一方面...
如果 service 确实来自于一个请求参数,或者其他一些远程用户可能会注入的东西,那么就真的存在拒绝服务攻击的风险。问题在于传递给 split 的参数是一个正则表达式,而不仅仅是一个简单的字符串。恶意用户可以注入任何正则表达式,包括精心构造的正则表达式,以触发灾难性回溯。这可能会浪费大量CPU...
如已指出:一种修复方法是使用 Pattern.quote(service),这样恶意用户就无法注入正则表达式。
英文:
OK, so it looks like Fortify has concluded that service could be injected from some request parameter. That's not possible if the real code is equivalent to what you have shown us.
On the other hand ...
If service did come from a request parameter ... or something else that a remote user could inject ... then there is a real risk of a denial of service attack. The issue is the argument to split is a regex not just a simple string. The bad guy could inject any regex there, including a regex that is carefully crafted to trigger catastrophic backtracking. This could waste a lot of CPU ...
As noted: one fix is to use Pattern.quote(service) so that the bad guy can't inject a regex.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论