Example - 1

The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers.

// # looks like it only has hyphens and digits// 
system("lookup-phone $phone");
error("malformed number!");$phone = GetPhoneNumber();if ($phone =~ /\d+-\d+/) {}else {}

An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression.

Example - 2

This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command.

return ip

raise ValueError("IP address does not match valid pattern.")ip_validator = re.compile(r"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}")if ip_validator.match(ip):else:

// # The ping command treats zero-prepended IP addresses as octal// 
validated = validate_ip_regex(ip)result = subprocess.call(["ping", validated])print(result)import subprocessimport redef validate_ip_regex(ip: str):def run_ping_regex(ip: str):

Since the regular expression does not have anchors (CWE-777), i.e. is unbounded without ^ or $ characters, then prepending a 0 or 0x to the beginning of the IP address will still result in a matched regex pattern. Since the ping command supports octal and hex prepended IP addresses, it will use the unexpectedly valid IP address (CWE-1389). For example, "0x63.63.63.63" would be considered equivalent to "99.63.63.63". As a result, the attacker could potentially ping systems that the attacker cannot reach directly.