codeql/python/ql/src/Security/CWE-020/OverlyLargeRange.qhelp at 220ff3cb2e5e9863c57dea43d331b2df7fa5e789 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>

    <overview>
        <p>
            A regexp range can by accident match more than was intended.
            For example, the regular expression <code>/[a-zA-z]/</code> will
            match every lowercase and uppercase letters, but the same regular
            expression will also match the chars: <code>[\]^_`</code>.
        </p>
        <p>
            On other occasions it can happen that the dash in a regular
            expression is not escaped, which will cause it to be interpreted
            as part of a range. For example in the character class <code>[a-zA-Z0-9%=.,-_]</code>
            the last character range matches the 55 characters between
            <code>,</code> and <code>_</code> (both included), which overlaps with the
            range <code>[0-9]</code> and is thus clearly not intended.
        </p>
    </overview>

    <recommendation>
        <p>

            Don't write character ranges were there might be confusion as to
            which characters are included in the range.

        </p>
    </recommendation>

    <example>

        <p>
            The following example code checks whether a string is a valid 6 digit hex color.
        </p>

<sample language="python">
import re
def is_valid_hex_color(color):
    return re.match(r'^#[0-9a-fA-f]{6}$', color) is not None
</sample>

        <p>
            However, the <code>A-f</code> range matches every uppercase character, and
            thus a "color" like <code>#XYZ</code> is considered valid.
        </p>

        <p>
            The fix is to use an uppercase <code>A-F</code> range instead.
        </p>

<sample language="python">
import re
def is_valid_hex_color(color):
    return re.match(r'^#[0-9a-fA-F]{6}$', color) is not None
</sample>

    </example>

    <references>
        <li>Mitre.org: <a href="https://cwe.mitre.org/data/definitions/20.html">CWE-020</a></li>
        <li>github.com: <a href="https://github.com/advisories/GHSA-g4rg-993r-mgx7">CVE-2021-42740</a></li>
        <li>wh0.github.io: <a href="https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html">Exploiting CVE-2021-42740</a></li>
    </references>
</qhelp>