Missing validation for regular expression

Rule ID: php_symfony_permissive_regex_validation
Languages: php
Source: permissive_regex_validation.yml

Description

When validating data with regular expressions, it's crucial to match the entire text. Failing to specify the start and end of the text can lead to incomplete validation, making your application vulnerable to malicious input. Regular expressions should always specify the start of text (\A) and end of text (\z or \Z) boundaries to ensure that the entire string is evaluated, not just portions of it. Note: it is best security practice to prefer the boundary expressions \A and \z or \Z over ^ and $, because ^ and $ operate as line-based boundaries when multiline mode is enabled.

Remediations

Do not use regular expressions without specifying start and end text boundaries. This approach can result in partial matches, which may not fully validate the data.
```
#[Assert\Regex('/foo/')]
protected string $attribute; // unsafe
```

Do not rely on line-based boundaries (^ and $).

#[Assert\Regex('/^foo$/')]
protected string $attribute; // unsafe

Do use \A and \z or \Z as boundaries in your regular expressions to ensure that the entire text is validated from start to end.
```
#[Assert\Regex('/\Afoo\z/')]
protected string $attribute;
```

References

Symfony validation

Associated CWE

CWE-625: Permissive Regular Expression

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_symfony_permissive_regex_validation

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_symfony_permissive_regex_validation