1. Home
  2. CWE Database
  3. CWE-186
Base · Medium

CWE-186: Overly Restrictive Regular Expression

A regular expression is overly restrictive, which prevents dangerous values from being detected.

CWE-186 · Base Level ·1 CVEs ·1 Mitigations

Description

A regular expression is overly restrictive, which prevents dangerous values from being detected.

This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly restrictive regexp misses some potentially security-relevant values leading to either false positives *or* false negatives, depending on how the regexp is being used within the code. Consider the expression /[0-8]/ where the intention was /[0-9]/. This expression is not "complex" but the value "9" is not matched when maybe the programmer planned to check for it.

Potential Impact

Access Control

Bypass Protection Mechanism

Mitigations & Prevention

Implementation

Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject your regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through

Real-World CVE Examples

CVE IDDescription
CVE-2005-1604MIE. ".php.ns" bypasses ".php$" regexp but is still parsed as PHP by Apache. (manipulates an equivalence property under Apache)

CWE-185: Incorrect Regular Expression

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

CWE-184: Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not all...

CWE-183: Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explici...

Taxonomy Mappings

  • PLOVER: — Overly Restrictive Regular Expression

Frequently Asked Questions

What is CWE-186?

CWE-186 (Overly Restrictive Regular Expression) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A regular expression is overly restrictive, which prevents dangerous values from being detected.

How can CWE-186 be exploited?

Attackers can exploit CWE-186 (Overly Restrictive Regular Expression) to bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-186?

Key mitigations include: Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular

What is the severity of CWE-186?

CWE-186 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.