1.2.29. Always Anchor Regex¶
Unanchored regex finds the requested pattern, and leaves room for malicious content.
Without ^
and $
, the regex searches for any pattern that satisfies the criteria, leaving any unused part of the string available for arbitrary content. It is recommended to use both anchor
Note that $ may be a line ending, still leaving room after it for injection.
This analysis reports false positive when the regex is used to search a pattern in a much larger string. Check if this rule doesn’t apply, though.
<?php
$birthday = getSomeDate($_GET);
// Permissive version : $birthday = '1970-01-01<script>xss();</script>';
if (!preg_match('/\d{4}-\d{2}-\d{2}/', $birthday) {
error('Wrong data format for your birthday!');
}
// Restrictive version : $birthday = '1970-01-01';
if (!preg_match('/^\d{4}-\d{2}-\d{2}$/', $birthday) {
error('Wrong data format for your birthday!');
}
echo 'Your birthday is on '.$birthday;
?>
See also CWE-625: Permissive Regular Expression.
1.2.29.1. Suggestions¶
Add an anchor to the beginning and ending of the string
1.2.29.2. Specs¶
Short name |
Security/AnchorRegex |
Rulesets |
|
Exakat since |
0.12.15 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Instant (5 mins) |
Precision |
High |
Features |
regex |
Available in |