How to prevent "regex injection"?

Question

How to prevent "regex injection"?

How to prevent something that I would call "regex injection"?

I use regular expressions to parse strings that may be similar - one example -

Size: 10, qty: 20

Writing a regular expression to capture "10" and "20" is not in itself. "Size" and "qty", however, are customizable - the user can select other words instead.

So what I am doing:

var pattern = String.Format(
                    @"{0}[ \t]*(?<size>{1}|\d*)[ \t]*:[ \t]*{2}:[ \t]*(?<quantity>[\d]*)",
                    sizeSign,
                    univerSizeAbbrev,
                    qtySign);

But how do I "sanitize" sizeSign, qtySign (or univerSizeAbbrev, for that matter)?

Regex has no procedure parameters, such as SQL does (?), So, I am sure, confident that sizeSign and qtySign are always treated as literals, regardless of whether they exist.

+5

c # regex sanitization code-injection user-input

Konrad Morawski Jul 07 '11 at 8:36

source share

3 answers

Make sure you enable:

using System.Text.RegularExpressions;

And then avoid such variables:

sizeSign = Regex.Escape(sizeSign);
qtySign = Regex.Escape(qtySign);

+3

Edoododo Jul 07 '11 at 8:41

source share

, , .

str.Any(ch => ! Char.IsLetter(ch));

, false.

0

Brennan Vincent Jul 07 '11 at 8:41

source share

spender · Accepted Answer · 2011-07-07T08:40:13+0000

Use Regex.Escape :

Resets the minimum set of characters (\, *, +,?, |, {, [, (,), ^, $,., # And a space), replacing them with their escape codes. This tells the regex engine to interpret these characters literally, and not as metacharacters.

How to prevent "regex injection"?

More articles: