CWE-186: Overly Restrictive Regular Expression
ID
CWE-186
Abstraction
Base
Structure
Simple
Status
Draft
A regular expression is overly restrictive, which prevents dangerous values from being detected.
This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly restrictive regexp misses some potentially security-relevant values leading to either false positives *or* false negatives, depending on how the regexp is being used within the code. Consider the expression /[0-8]/ where the intention was /[0-9]/. This expression is not "complex" but the value "9" is not matched when maybe the programmer planned to check for it.
Modes of Introduction
| Phase | Note |
|---|---|
| Implementation |
Applicable Platforms
| Type | Class | Name | Prevalence |
|---|---|---|---|
| Language | Not Language-Specific |
Relationships
| View | Weakness | |||||||
|---|---|---|---|---|---|---|---|---|
| # ID | View | Status | # ID | Name | Abstraction | Structure | Status | |
| CWE-1000 | Research Concepts | Draft | CWE-185 | Incorrect Regular Expression | Class | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-184 | Incomplete List of Disallowed Inputs | Base | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-183 | Permissive List of Allowed Inputs | Base | Simple | Draft | |
Loading...