1

To help stop SQL Injection attacks, I am going through about 2000 parameter requests in my code to validate them. I validate them by determining what type of value (e.g. integer, double) they should return and then applying a function to them to sanitize the value.

Any requests I have dealt with look like this 

*SecurityIssues.*(request.getParameter

where * signifies any number of characters on the same line.

What RegExp expression can I use in the Eclipse search (CTRL+H) which will help me search for all the ones I have not yet dealt with, i.e. all the times that the text request.getParameter appears when it is not preceded by the word SecurityIssues?

Examples for matches

The regular expression should match each of the following e.g.

int companyNo = StringFunctions.StringToInt(request.getParameter("COMPANY_NO‌​"))
double percentage = StringFunctions.StringToDouble(request.getParameter("MARKETSHARE"))
int c = request.getParameter("DUMMY")

But should not match:

int companyNo = SecurityIssues.StringToIntCompany(request.getParameter("COMP‌​ANY_NO"))
Raymond Hettinger
  • 216,523
  • 63
  • 388
  • 485
gordon613
  • 2,770
  • 12
  • 52
  • 81
  • Give just one or two example values of what the regular expression should match. And `.*` matches anything (also `request.getParameter`), so maybe consider `.*?` (reluctant). – michaeak Mar 29 '17 at 17:05
  • e.g. it should NOT match `int companyNo = SecurityIssues.StringToIntCompany(request.getParameter("COMPANY_NO"))` but it should match `int companyNo = StringFunctions.StringToInt(request.getParameter("COMPANY_NO"))` – gordon613 Mar 29 '17 at 17:07
  • Are there other functions it should match, like `StringToDouble` etc.? – michaeak Mar 29 '17 at 17:13
  • Yes, also places where there is no function at all e.g. `int c = request.getParameter("DUMMY")` (Have to leave office now, will update tomorrow.) – gordon613 Mar 29 '17 at 17:21
  • Please see also http://stackoverflow.com/questions/406230/regular-expression-to-match-a-line-that-doesnt-contain-a-word – michaeak Mar 30 '17 at 08:40
  • And also http://stackoverflow.com/questions/717644/regular-expression-that-doesnt-contain-certain-string – michaeak Mar 30 '17 at 08:49

2 Answers2

1

Try e.g.

=\s*?((?!SecurityIssues).)*?(request\.getParameter)\(

Notes

Paranthesis ( or ) are special characters for group matching. They need to be escaped with \. If .* will match anything, also characters that you don't want it to match. So .*? will prevent it from matching anything (reluctant). This can be helpful if after the wildcard other items need to match.

There is a tutorial at https://docs.oracle.com/javase/tutorial/essential/regex/index.html , I think all of these should be available in eclipse. You can then deal with generic replacement also.

Problem

From reading Regular expression that doesn't contain certain string and Regular expression to match a line that doesn't contain a word? it seems quite difficult to create a regex matching anything but not to contain a certain word.

Community
  • 1
  • 1
michaeak
  • 1,548
  • 1
  • 12
  • 23
  • without a closing parenthesis, eclipse says "unclosed group near index 48). Also I would need to catch e.g. StringToDouble as well as StringToInt and also I would need to catch places where there is no function there as well e.g. int c=request.getParameter – gordon613 Mar 29 '17 at 17:19
  • Sorry, the marking as code was gong, so the `\\` disappeared. Also made it possible to have multiple functions match. – michaeak Mar 29 '17 at 17:20
  • This looks great - it is just that I do not know the names of all the functions in advance, and I would need something more generic... – gordon613 Mar 29 '17 at 17:23
1

With inspiration and the links provided by @michaeak (thank you), as well as testing in https://regex101.com/ I appear to have found the answer:

^((?!SecurityIssues).)*(request\.getParameter)

The advantage of this answer is that I can blacklist the word SecurityIssues, as opposed to having to whitelist the formats that I do want.

Note, that it is relatively slow, and also slowed down my computer a lot when performing the search.

gordon613
  • 2,770
  • 12
  • 52
  • 81
  • This one works, but the `^` at the beginning is not essential. And the `*` in the middle could lead to ommit true matches. I think it should be appended by `?`. Actually I was trying this one as well, but also to match the `=` character. But I did not understand the `^` was just to mark the beginning of the match ... – michaeak Mar 30 '17 at 14:43
  • In line with how I understand StackOverflow protocol, this answer has been marked as the correct answer for the following reason: this answer was the first answer to answer the question - in that the question was looking for blacklisting a certain word rather than whitelisting certain words. Although the original answer given by @michaeak did contribute greatly to reaching this answer. (That answer has now been updated with a possibly improved version of the accepted answer.) Thank you for your help! – gordon613 Apr 02 '17 at 09:56