Permissive regular expression used in matching

Rule ID: go_lang_permissive_regex_validation
Languages: go
Source: permissive_regex_validation.yml

Description

When matching with regular expressions -- especially for validation purposes -- it is crucial to specify the start and end of the text boundaries. This ensures the entire text is validated, not just parts of it, and prevents attackers from bypassing validation with partially matching input. Use \A and \z (or \Z) over ^ and $ to specify text boundaries, because these accurately mark the beginning and end of the text, even in multiline mode.

Remediations

Do not use regular expressions for validation without specifying start and end boundaries. This can lead to partial matches being considered valid, when they may contain unsafe input.
```
regexp.MustCompile("foo") // unsafe
```
Do not use line-based boundaries (^ and $) for validation as they may not secure the entire text.
```
regexp.MustCompile("^foo$") // unsafe
```
Do use whole-text boundaries (\A and \z or \Z) in your regular expressions to ensure comprehensive validation.
```
regexp.MustCompile("\Afoo\z")
```

Associated CWE

CWE-625: Permissive Regular Expression

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_permissive_regex_validation

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_permissive_regex_validation