regex
Regular Expression for Locating a Password in a Connection String
I used this RegEx to locate an encrypted password in a connection string. I wrote a utility that would allow for the encryption of a password string so that the clear text password could be replaced by the encrypted string in the config. I did this because I didn’t want the whole string encrypted, just the password. Thus at runtime the logic needed to retrieve the connection string from the config, find the password value and run it through the decryption algorithm. This is the explanation for the RegEx I used to accomplish this.
string passwordGroup = "pwd"; string searchExpression = "(?i)password=(?<" + passwordGroup + @">[0-9a-zA-Z\+/=]+)";
Example strings that this expression will be run against are :
<add name="AConnectionString" connectionString="Provider=OraOLEDB.Oracle;Data Source=XE; User ID=uid0; Password=AcQtF5W9CGmph8NxtPVfyPnDBxrmHU=;OLEDB.NET=true;Unicode=True" />
<add name="DBConnName" connectionString="packet size=4096;user id=uid0;data source=SERVER01;persist security info=True;initial catalog=catalogName;password=IkX+129i/iUshSJc0O3rCxHKz2lv6+mRNe91vIw=" />
(?i) - This is a modifier affecting how the remainder of the string is processed.
(?x) - this syntax indicates that this is a modifier. The x will be replaced with an appropriate set of modifiers. In my case those are i, s, & m.
i - turns on case insensitivity for the remainder of the string.
password= - Represents a literal string. I am using this string to find the position at which to start the regex match for the password value I am searching for. In this case the expression will begin matching at the p in password.
(?<” + passwordGroup + @”>[0-9a-zA-Z\+/=]+) - boils down to (?<pwd>[0-9a-zA-Z\+/=]+). Let’s take a look at the first part of this expression:
(?<>) - This is the .NET syntax for creating a named group. Groups are organizational structures used to pluck particular search strings out of a larger string. By default regex engines will sequentially number the groups starting at 0. In my case, I want to give my group a specific name for retrieval from the match, thus this syntax. In my expression the “pwd” string represents the name for my matching group. The contents of the matched group will be the string returned by the evaluation of the expression inside the parenthesis.
[0-9a-zA-Z\+/=]+ - matches any string containing alphanumeric characters as well as matching on +, /, and =. These 3 extra characters are allowed in the set of characters the encrypted string may contain. As you can see both examples show that the password field will either end with a ” or a ;. Since neither of those two terminating characters are in the set of allowed characters, the match will end there. Thus the match will start at the “p” in password and end before either the ; or the ” at the end of the password value.
This expression will return an entire match of: password=value. From this match one group will exist which will contain only the password value.
My entire method using this expression and extracting the named group:
protected string RetrievePasswordValue(string connectionString)
{
string passwordGroup = "pwd";
string searchExpression = "(?i)password=(?<" + passwordGroup + @">[0-9a-zA-Z\+/=]+)";
try
{
Match passwordMatch = Regex.Match(connectionString, searchExpression);
return passwordMatch.Groups[passwordGroup].Value;
}
catch (Exception ex)
{
// Do something better than this exception handling, obviously
throw ex;
}
}
}
I’m no regex expert by any means, so there may be better ways to write the expression. Please leave a comment if you see a glaring problem with my expression. One thing I could probably do to it would be to add a more explicit terminator on ” or ; rather than have it end by just not being in the set of valid characters.
Here are some great links for learning and testing your regular expressions:
http://www.regular-expressions.info
http://derekslager.com/blog/posts/2007/09/a-better-dotnet-regular-expression-tester.ashx