SonarQube regex security hotspot for replaceAll

The following code flags a security hotspot in SonarQube due to backtracking when evaluating the regular expression which could lead to DoS. The regular expression is fine because it is not flagged elsewhere in the code, so this leads me to think SonarQube is flagging this because it is using ReplaceAll. I have read this post, Is use of ReplaceAll() method forbidden in SonarQube, but don't think this applies here. My boss wants me to fix this wihtout using the //NOSONAR comment but not sure what needs fixing.

      final String MONGO_REG = "(mongodb://.+:)(.*)(@.+)";
      final String PASSWD_REPLACEMENT = "XXXXXXXXXX";
      String mongoUri = "mongodb://myDBReader:D1fficultP%40ssw0rd@mongodb0.example.com:27017/?authSource=admin";
      String newMongoUri = mongoUri.replaceAll(MONGO_REG, "$1" + PASSWD_REPLACEMENT + "$3");
      logger.info(">> {}", newMongoUri);

Using Java 11 Can anyone see how I can fix this?



Comments

Popular posts from this blog

Today Walkin 14th-Sept

Spring Elasticsearch Operations

Hibernate Search - Elasticsearch with JSON manipulation