logo

CWE-186 - Overly Restrictive Regular Expression

CWE-186

  • Abstraction:
  • Base
  • Structure:
  • Simple
  • Status:
  • Draft
Weakness Name

Overly Restrictive Regular Expression

Description

A regular expression is overly restrictive, which prevents dangerous values from being detected.

This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly restrictive regexp misses some potentially security-relevant values leading to either false positives *or* false negatives, depending on how the regexp is being used within the code. Consider the expression /[0-8]/ where the intention was /[0-9]/. This expression is not "complex" but the value "9" is not matched when maybe the programmer planned to check for it.

Common Consequences

Scope: Access Control

Impact: Bypass Protection Mechanism

Related Weaknesses

CWE-184Incomplete List of Disallowed Inputs

CWE-183Permissive List of Allowed Inputs

CWE-185Incorrect Regular Expression

  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2023-06-29

Free security scan for your website