Badly anchored regular expression¶
ID: rb/regex/badly-anchored-regexp
Kind: path-problem
Security severity: 7.8
Severity: warning
Precision: high
Tags:
- correctness
- security
- external/cwe/cwe-020
Query suites:
- ruby-code-scanning.qls
- ruby-security-extended.qls
- ruby-security-and-quality.qls
Click to see the query in the CodeQL repository
Regular expressions in Ruby can use anchors to match the beginning and end of a string. However, if the ^ and $ anchors are used, the regular expression can match a single line of a multi-line string. This allows bad actors to bypass your regular expression checks and inject malicious input.
Recommendation¶
Use the \A and \z anchors since these anchors will always match the beginning and end of the string, even if the string contains newlines.
Example¶
The following (bad) example code uses a regular expression to check that a string contains only digits.
def bad(input)
raise "Bad input" unless input =~ /^[0-9]+$/
# ....
end
The regular expression /^[0-9]+$/ will match a single line of a multi-line string, which may not be the intended behavior. The following (good) example code uses the regular expression \A[0-9]+\z to match the entire input string.
def good(input)
raise "Bad input" unless input =~ /\A[0-9]+\z/
# ....
end