Missing validation for regular expression
- Rule ID: php_symfony_permissive_regex_validation
- Languages: php
- Source: permissive_regex_validation.yml
Description
When validating data with regular expressions, it's crucial to match the entire text. Failing to specify the start and end of the text can lead to incomplete validation, making your application vulnerable to malicious input. Regular expressions should always specify the start of text (\A) and end of text (\z or \Z) boundaries to ensure that the entire string is evaluated, not just portions of it. Note: it is best security practice to prefer the boundary expressions \A and \z or \Z over ^ and $, because ^ and $ operate as line-based boundaries when multiline mode is enabled.
Remediations
- Do not use regular expressions without specifying start and end text boundaries. This approach can result in partial matches, which may not fully validate the data.
#[Assert\Regex('/foo/')]
protected string $attribute; // unsafe - Do not rely on line-based boundaries (^ and $).
#[Assert\Regex('/^foo$/')]
protected string $attribute; // unsafe - Do use \A and \z or \Z as boundaries in your regular expressions to ensure that the entire text is validated from start to end.
#[Assert\Regex('/\Afoo\z/')]
protected string $attribute;
References
Associated CWE
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=php_symfony_permissive_regex_validation
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=php_symfony_permissive_regex_validation