Denial of Service: Regular Expression (Input Validation and Representation, Data Flow)

Question

I am using HP Fortify tool to detect the vulnerability of my project and it is giving some code vulnerable to DOS attack.

while reading some regular expression through some '.properties' and then trying to create a pattern by Pattern.compile(regex);

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to over-consume CPU resources.

Query: Now for the solution,

• if I will hard code the regular expression in the java file itself then it will not be dynamic anymore.
• I am not sure if there should be a validation on the properties that are read

Could anyone suggest what kind of validation against DOS can be used?

Answer 1

It's mentioned over OWASP guidelines - some control/check that you can try.

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.

https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS