How to prevent "regex injection"?

Question

How to prevent something I'd call "regex injection"?

I'm using regular expressions to parse strings that might look like - one of the examples -

Size: 10, qty: 20

Writing a regex to capture "10" and "20" is not hard by itself. "Size" and "qty" are, however, customizable - user can choose some other words instead.

So what I do is:

var pattern = String.Format(
                    @"{0}[ \t]*(?<size>{1}|\d*)[ \t]*:[ \t]*{2}:[ \t]*(?<quantity>[\d]*)",
                    sizeSign,
                    univerSizeAbbrev,
                    qtySign);

But how do I 'sanitize' sizeSign, qtySign (or univerSizeAbbrev for that matter)?

Regex does not have procedure parameters like SQL does (?), so how do I make sure, positively sure that sizeSign and qtySign are always treated as literals, whatever they are.

score 10 · Accepted Answer · answered Jul 07 '11 at 08:40

Use Regex.Escape:

Escapes a minimal set of characters (\, *, +, ?, |, {, [, (,), ^, $,., #, and white space) by replacing them with their escape codes. This instructs the regular expression engine to interpret these characters literally rather than as metacharacters.

score 4 · Answer 2 · answered Jul 07 '11 at 08:41

4

Make sure you include:

using System.Text.RegularExpressions;

And then escape the variables like this:

sizeSign = Regex.Escape(sizeSign);
qtySign = Regex.Escape(qtySign);

answered Jul 07 '11 at 08:41

EdoDodo

8,220
3
24
30

score 0 · Answer 3 · answered Jul 07 '11 at 08:41

0

If you are allowed to assume that the identifiers can only consist of letter characters, this becomes easy. Just test each with

str.Any(ch => ! Char.IsLetter(ch));

and reject any choices for which this returns false.

answered Jul 07 '11 at 08:41

Brennan Vincent

10,736
9
32
54

How to prevent "regex injection"?

3 Answers3