CWE-185

誤った正規表現

Incorrect Regular Expression

脆弱性レビュー中

日本語説明

製品が正規表現を指定したために、データの照合や比較が不正に行われた。

正規表現がフィルタリングやバリデーションなどの保護メカニズムで使用されている場合、攻撃者が意図した受信データの制限をバイパスできる可能性があります。

原文 (English)

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data.

関連する脆弱性

想定される影響

Scope: Other / Impact: Unexpected State; Varies by Context

Scope: Access Control / Impact: Bypass Protection Mechanism

対策・緩和策

Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject the regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor the regular expression.

外部リンク

MITRE公式ページ — CWE-185