Skip to main content
assistive.skiplink.to.breadcrumbs
assistive.skiplink.to.header.menu
assistive.skiplink.to.action.menu
assistive.skiplink.to.quick.search

Page History

Versions Compared

Old Version 118

changes.mady.by.user Derek Leung

Saved on Nov 21, 2018

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on Aug 06, 2025

Key

This line was added.
This line was removed.
Formatting was changed.

Comment: REM cost reform

...

This compliant solution sanitizes the search terms by using Pattern.quote() to escape any malicious characters in the search string. Unlike the previous compliant solution, a search string using punctuation characters, such as "name =" is permitted.

Code Block

bgColor	#ccccff

	public static void FindLogEntry(String search) {
		// Sanitize search string
        search = Pattern.quote(search);
		// Construct regex dynamically from user string
		String regex = "(.*? +public\\[\\d+\\] +.*" + search + ".*)";
        // ...
    }

...

Failing to sanitize untrusted data included as part of a regular expression can result in the disclosure of sensitive information.

Rule	Severity	Likelihood	Detectable	RepairableRemediation Cost	Priority	Level
IDS08-J	Medium	Unlikely	Yes	MediumNo	P4	L3

Automated Detection

Tool

Version

Checker

Description

The Checker Framework

Include Page

	The Checker Framework_V
	The Checker Framework_V

Tainting Checker

Trust and security errors (see Chapter 8)

Include Page

	CodeSonar_V
	CodeSonar_V

JAVA.IO.TAINT.REGEX

Tainted Regular Expression (Java)

Include Page

	SonarQube_V
	SonarQube_V

Regular expressions should not be vulnerable to Denial of Service attacks

Related Guidelines

CWE-625, Permissive Regular Expression

...

[CVE 05]	CVE-2005-1949
[Java Tutorials]	Regular Expressions
[Seacord 2015]	IDS08-J. Sanitize untrusted data passed to a regex LiveLesson

...

Image Added Image Modified Image Modified IDS09-J. Specify an appropriate locale when comparing locale-dependent data