stackoom
  简体   繁体   中英

SonarQube regex security hotspot for replaceAll

 原文  2022-07-23 17:16:10       java/ sonarqube/ replaceall

Question

The following code flags a security hotspot in SonarQube due to backtracking when evaluating the regular expression which could lead to DoS. The regular expression is fine because it is not flagged elsewhere in the code, so this leads me to think SonarQube is flagging this because it is using ReplaceAll. I have read this post, Is use of ReplaceAll() method forbidden in SonarQube , but don't think this applies here. My boss wants me to fix this wihtout using the //NOSONAR comment but not sure what needs fixing.

      final String MONGO_REG = "(mongodb://.+:)(.*)(@.+)";
      final String PASSWD_REPLACEMENT = "XXXXXXXXXX";
      String mongoUri = "mongodb://myDBReader:D1fficultP%40ssw0rd@mongodb0.example.com:27017/?authSource=admin";
      String newMongoUri = mongoUri.replaceAll(MONGO_REG, "$1" + PASSWD_REPLACEMENT + "$3");
      logger.info(">> {}", newMongoUri);

Using Java 11 Can anyone see how I can fix this?

1 answers

solution1
 0  2022-07-24 19:15:55

Difference between String replace() and replaceAll()

If you use it that way, you should use Pattern.compile instead. Sonarqube isn't able to check that you use a regular pattern.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SonarQube regex security hotspot SonarQube security hotspot, Using regular expressions regex with replaceAll Regex on replaceAll() Java replaceall regex issue Java replaceAll with regex Using regex with replaceAll Java Regex replaceAll() JAVA - replaceAll in a regex with $1 Java string replaceAll regex
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM