Missing validation for regular expression

• Rule ID: ruby_rails_permissive_regex_validation
• Languages: ruby
• Source: permissive_regex_validation.yml

Description

When validating data with regular expressions, it's crucial to match the entire text. Failing to specify the start and end of the text can lead to incomplete validation, making your application vulnerable to malicious input. Regular expressions should always specify the start of text (\A) and end of text (\z or \Z) boundaries to ensure that the entire string is evaluated, not just portions of it.

Remediations

• Do not use regular expressions for validation without specifying the start and end of the text. This approach can result in partial matches, which may not fully validate the data.

  validates :attribute, format: { with: /foo/ }

• Do not rely on line-based boundaries (^ for start of line, $ for end of line) for validation. These can allow unexpected matches across multiple lines, potentially bypassing the validation.

  validates :attribute, format: { with: /^foo$/ }

• Do use whole-text boundaries (\A for start of text, \z or \Z for absolute end of text) in your regular expressions. This ensures that the validation matches the entire text, from start to finish, providing a more secure validation.

  validates :attribute1, format: { with: "\Afoo\Z" }
  validates :attribute2, format: { with: "\Afoo\z" }

References

• Active Record format validation

Associated CWE

• CWE-625: Permissive Regular Expression

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_permissive_regex_validation

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_permissive_regex_validation