I'm getting a critical sonar issue "Using regular expressions is security-sensitive" when using the code
Pattern.compile(regex, Pattern.CASE_INSENSITIVE)
Can anyone help to fix this? Is there any alternatives available for this?
Asked
Active
Viewed 9,612 times
4
Wiktor Stribiżew
- 607,720
- 39
- 448
- 563
Raj
- 59
- 2
- 4
-
If you need more help, please update the question with the exact regex you are using. – Wiktor Stribiżew Mar 12 '20 at 12:07
-
Pattern newpattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = newpattern.matcher(value).replaceAll(""); this is the code – Raj Mar 13 '20 at 14:54
-
Please add it to the question – Wiktor Stribiżew Mar 13 '20 at 15:01
-
Try `"src=([^']+)"` pattern or `"src = ([^']+)"`. – Wiktor Stribiżew Mar 13 '20 at 15:47
1 Answers
2
As per this Sonarsource documenation,
This rule flags any execution of a hardcoded regular expression which has at least 3 characters and at least two instances of any of the following characters:
*+{..
So, you must make sure your pattern complies with the rule.
Alternatively, you may disable the warnings by Turning Sonar off for certain code.
Wiktor Stribiżew
- 607,720
- 39
- 448
- 563
-
So if our pattern doesn't comply with the rule, what exactly should we need to do then? My regular expression is ".*\\d+.*" and how should I comply with the rule flag. – Shrut Oct 30 '20 at 10:07
-
@ShrutikaNinawe Ignore the warning, or use simpler regexps with just one quantifier, `"src='([^']*)'"` or `"src = '([^']*)'"`. – Wiktor Stribiżew Oct 30 '20 at 10:09
-
@ShrutikaNinawe You may simply use `[0-9]` to check if a string contains a digit or disable the warning. – Wiktor Stribiżew Nov 30 '20 at 13:23