SonarQube regex security hotspot for replaceAll
The following code flags a security hotspot in SonarQube due to backtracking when evaluating the regular expression which could lead to DoS. The regular expression is fine because it is not flagged elsewhere in the code, so this leads me to think SonarQube is flagging this because it is using ReplaceAll. I have read this post, Is use of ReplaceAll() method forbidden in SonarQube, but don't think this applies here. My boss wants me to fix this wihtout using the //NOSONAR comment but not sure what needs fixing.
final String MONGO_REG = "(mongodb://.+:)(.*)(@.+)";
final String PASSWD_REPLACEMENT = "XXXXXXXXXX";
String mongoUri = "mongodb://myDBReader:D1fficultP%40ssw0rd@mongodb0.example.com:27017/?authSource=admin";
String newMongoUri = mongoUri.replaceAll(MONGO_REG, "$1" + PASSWD_REPLACEMENT + "$3");
logger.info(">> {}", newMongoUri);
Using Java 11 Can anyone see how I can fix this?
Comments
Post a Comment