How Regex.exec() can get a code injection?


I got, from a security report, a code injection issue:

This could enable an attacker to inject and run arbitrary code. The attacker can inject the executed code via user input

const parseUrl = url => {
  const re = new RegExp(/^/+(w+)/*/);
  const [_, service] = re.exec(url);
  return service;
};

I could not understand how is it possible to inject code by there? And I did not find anything of internet about that.

I am looking for example of code injection or sources that shows it is not possible to do code injection through RegExp.

Thank you

Source: JavaSript – Stack Overflow

November 25, 2021
Category : News
Tags: javascript | node.js | regex

Leave a Reply

Your email address will not be published. Required fields are marked *

Sitemap | Terms | Privacy | Cookies | Advertising

Senior Software Developer

Creator of @LzoMedia I am a backend software developer based in London who likes beautiful code and has an adherence to standards & love's open-source.