Skip to main content

Insecure Use of Regular Expressions

Fixing Insecure Use of Regular Expressions

Regular Expressions (Regex) are used in almost every application. However, it is often overlooked that Ruby uses a slightly different approach than many other languages to match the end and the beginning of a string. This can lead to issues that bypass security-related user input validation.

Option A: Use the Right Regex Syntax

  1. Go through the issues that GuardRails identified in the PR/MR

  2. Identify any ^ or $ operators in the regular expression

    /^https?:\/\/[^\n]+$/i
  3. Replace ^ with \A and/or $ with \z

    /\Ahttps?:\/\/[^\n]+\z/i
  4. Test it and ensure the regex is still working as expected

  5. Ship it 🚢 and relax 🌴