Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-625: Permissive Regular Expression

Weakness ID: 625
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

Extended Description

This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include:

  • not identifying the beginning and end of the target string

  • using wildcards instead of acceptable character ranges

  • others

+ Time of Introduction
  • Implementation
+ Applicable Platforms




+ Modes of Introduction

This problem is frequently found when the regular expression is used in input validation or security features such as authentication.

+ Common Consequences
Access Control

Technical Impact: Bypass protection mechanism

+ Demonstrative Examples

Example 1

(Bad Code)
Example Language: Perl 
$phone = GetPhoneNumber();
if ($phone =~ /\d+-\d+/) {
# looks like it only has hyphens and digits
system("lookup-phone $phone");
else {
error("malformed number!");

An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression.

+ Observed Examples
".*" regexp leads to static code injection
insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.
regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.
Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
regexp in .htaccess file allows access of files whose names contain certain substrings
allow load of macro files whose names contain certain substrings.
VIM Mailing list, March 14, 2006
+ Potential Mitigations

Phase: Implementation

When applicable, ensure that the regular expression marks beginning and ending string patterns, such as "/^string$/" for Perl.

+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class185Incorrect Regular Expression
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory845CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory990SFP Secondary Cluster: Tainted Input to Command
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness BaseWeakness Base183Permissive Whitelist
Research Concepts1000
PeerOfWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts1000
PeerOfWeakness BaseWeakness Base187Partial Comparison
Research Concepts1000
ParentOfWeakness VariantWeakness Variant777Regular Expression without Anchors
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT Java Secure CodingIDS08-JSanitize untrusted data passed to a regex
+ References
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 8, "Character Stripping Vulnerabilities", Page 437.. 1st Edition. Addison Wesley. 2006.
+ Content History
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable_Platforms, Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated Description
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative_Examples
2009-07-27CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11CWE Content TeamMITREInternal
updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-06-23CWE Content TeamMITREInternal
updated Modes_of_Introduction, Other_Notes
2014-07-30CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017