Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safe regex for email #22

Open
danielmocan opened this issue Jan 18, 2018 · 3 comments
Open

Safe regex for email #22

danielmocan opened this issue Jan 18, 2018 · 3 comments

Comments

@danielmocan
Copy link

I was trying out Liran`s suggestion to validate regex expressions.

I used safer-regex but I have a problem validating email regex, I even used the regex used by w3c ( /^[a-zA-Z0-9.!#$%&’+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:.[a-zA-Z0-9-]+)$/ )
I still receive false ( not safe regex ).

const safe = require("safer-regex");
email = /^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/;
// emailowasp = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/
console.log( safe(`${email}`, false ) ); // raise False

Does anyone have any suggestions?
@lirantal
Copy link
Member

Hi @danielmocan,

Great to see you are following secure code best practices!

Both email regex that you're using seem suspicious. One of the attributes of bad regexs is repeating capture groups, which you can spot in both of them. In the first one email it shows up near the end with the string ending in [a-zA-Z0-9-]+)*$/; and the second one emailowasp also has a repeating +)* capturing group.
They are indeed both vulnerable.

Proof of Concept

I crafted a malicious email address and used it against one of those email regexes and the result you can see below using regex101:

image

The malicious email input is available here https://pastebin.com/Wwb4n18G
It will not necessarily have the same effect when running it on a live JS regex engine but it should at least alarm you.

Alternative solution

If you're trying to match a common pattern like an e-mail address or an IP address then I suggest always betting on one of the existing libraries for this instead of writing your own. In our case for the JavaScript / Node.js world it would be the validator project.

P.S.
I'm not sure where you got the emailowasp regex one, would be happy to get a reference.

@danielmocan
Copy link
Author

Hi @lirantal,

Thank you for answering my question.
I somehow forgot about validator.js, now that you mentioned it I remembered it.
email owasp regex is from here OWASP
I think you mentioned them a few times.

I will change my problematic regex validations to use validator.js ( and see if I can add validator.js for the safe regex patterns as well ).

@lirantal
Copy link
Member

Yes OWASP has great resources but validator will be a better choice for this purpose.
Goodluck!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lirantal @danielmocan