Missing validation for regular expression
- Rule ID: go_lang_permissive_regex_validation
- Languages: go
- Source: permissive_regex_validation.yml
Description
When using regular expressions for validation, it's crucial to specify the start and end of the text boundaries. This ensures the entire text is validated, not just parts of it. Use \A and \z (or \Z) over ^ and $ to specify text boundaries, because these accurately mark the beginning and end of the text, even in multiline mode.
Remediations
- Do not use regular expressions without specifying start and end boundaries. This can lead to incomplete validation.
regexp.MustCompile("foo") // unsafe
- Do not use line-based boundaries (^ and $) for validation as they may not secure the entire text.
regexp.MustCompile("^foo$") // unsafe
- Do use whole-text boundaries (\A and \z or \Z) in your regular expressions to ensure comprehensive validation.
regexp.MustCompile("\Afoo\z")
Associated CWE
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_lang_permissive_regex_validation
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_lang_permissive_regex_validation