Cadet 1st Class
Cadet 1st Class
4261 views

Could Fortify help us to scan the issue of Redos ( Regular Expression Deny of Service ) ?

Hi,

Currently we write a simple "bad" regular expression and scan the project with fortify. we could not get the scan issue from fortify.... just to confirm, can we get ReDos issue from fortify ? if yes... how ?

0 Likes
2 Replies
Vice Admiral
Vice Admiral

There are rules for this category of vulnerability, as shown on vulncat: https://vulncat.hpefod.com/en/detail?id=desc.dataflow.java.denial_of_service_regular_expression#Java%2fJSP

If you think there is a false negative (i.e. SCA should be reporting a vulnerability on your use of regular expressions, but isn't), I recommend opening a support case (email fortifytechsupport@hpe.com or login to https://support.fortify.com) and send us some sample code which should be triggering that vulnerability.
We can check into it, make sure you're using some supported APIs, and if necessary involve our Security Research Group who write the rules.

-Josh
Fortify L3 support engineer

0 Likes
Commodore
Commodore

Hi @allencpp,

Fortify is able to find potential REDOS, but only when SCA detects that REGEX pattern is defined (fully or partially) upon invalidated user input. That is because REDOS rules are actually Data Flow rules more than semantic rules that evaluate all of your application REGEX.

If you want that fortify evaluate all of your statically defined REGEX patterns to check potential REDOS, you can write a Semantic Rule to use in future scans.

Hope this be useful.

Best regards.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.