Missing validation for regular expression


When validating data with regular expressions, it's crucial to match the entire text. Failing to specify the start and end of the text can lead to incomplete validation, making your application vulnerable to malicious input. Regular expressions should always specify the start of text (\A) and end of text (\z or \Z) boundaries to ensure that the entire string is evaluated, not just portions of it. Note: it is best security practice to prefer the boundary expressions \A and \z or \Z over ^ and $, because ^ and $ operate as line-based boundaries when multiline mode is enabled.


  • Do not use regular expressions without specifying start and end text boundaries. This approach can result in partial matches, which may not fully validate the data.
    protected string $attribute; // unsafe
  • Do not rely on line-based boundaries (^ and $).
    protected string $attribute; // unsafe
  • Do use \A and \z or \Z as boundaries in your regular expressions to ensure that the entire text is validated from start to end.
    protected string $attribute;


Associated CWE


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_symfony_permissive_regex_validation

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_symfony_permissive_regex_validation