labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

Ignore comment in Regex

Open kuei0221 opened this issue 5 years ago • 2 comments

Background

Brakeman version: 4.10.0 Rails version: 6.0.3.4 Ruby version: 2.7.2

False Positive

Full warning from Brakeman:

Category: Format Validation
Check: ValidationRegex
Message: Insufficient validation for `payment_pointer` using `/
    \A                # start
    \$                # starts with a dollar sign
    ([a-zA-Z0-9\-.])+ # matches the hostname (ex ilp.uphold.com)
    (\/[\x20-\x7F]+)?  # optional forward slash and identifier with printable ASCII characters
    \z # end
  /x`. Use `\A` and `\z` as anchors

Why might this be a false positive?

The above expression use \A and \z, but still considered as invalid. It will pass if remove the last comment #end. Since the expression worked with the option \x, the comment and space will be ignored and not influence the expression. Therefore the validation should consider ignoring them as well.

kuei0221 avatar Dec 04 '20 15:12 kuei0221

Agree with this, but Brakeman uses a regex to match the regex... so that might take some fiddling to get right.

presidentbeef avatar Feb 11 '21 01:02 presidentbeef