New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Be more resctrictive with regexp matches #1

Closed
nvtkaszpir opened this Issue Jul 25, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@nvtkaszpir
Copy link

nvtkaszpir commented Jul 25, 2016

Hi, just wanted to point out to be a bit more strict in regexp matching, otherwise it's easy for false positives.

Example - something like this - http://rubular.com/r/w6zDx6q2sJ

And after all, nice tutorial series, I'm still reading next entries about inspec :D

@anniehedgpeth

This comment has been minimized.

Copy link
Owner

anniehedgpeth commented Jul 26, 2016

That's great, thanks, @nvtkaszpir !

@anniehedgpeth

This comment has been minimized.

Copy link
Owner

anniehedgpeth commented Aug 1, 2016

@nvtkaszpir Would you mind helping me through this?

^(?!#)(?:\s*)gpgcheck=1(?:\s*)$

This is what I know:

  1. ^ Specifies that it should start at the beginning of the line.
  2. Anything in parenthesis means that it can contain all of the things inside the parenthesis.
  3. \s* says that it will allow any amount of white spaces
  4. $ specifies the end of the line - no characters should follow

This is what I don't know:

  1. (?!#) Is this allowing all of those characters? We definitely don't want it to be commented out, so we should leave out the #, right? What about the ? and !? Are you including those or do they mean something else?
  2. At the end section (?:\s*)$ what are the ? and : for?

I found a correct test, and it used:

^\s*fs.suid_dumpable = 0\s*(#.*)?$

I understand that it specifies:

  1. Any amount of white space can precede and/or follow the text.
  2. Anything written out AFTER a # can follow the text.

But I don't understand what the ? is for. Can you tell me what this means?

@nvtkaszpir

This comment has been minimized.

Copy link

nvtkaszpir commented Aug 1, 2016

  1. yes
  2. (?!#) - match cannot contain # sign (so we ignore all commented lines), that's why there is ! sign to negate the match
  3. yes
  4. yes

See about Regexp Extensions
http://ruby-doc.com/docs/ProgrammingRuby/html/language.html#UN

About fs.suid_dumpable:

  1. yes
  2. yes, this allows optional comments in line with optional whitespace char between 0 and a # sign (but I would rather change it to something \s+ so that at least one whitespace char is between the comment)

? means zero or more matches.

Notice, that regexp, which I suggested, does not allow for comments in the line.

After some fiddling I think it is better to use other methods (for example ini or parse_config) which does that exciting regexp matching for you. I'm really trying to avoid regexp if possible, it makes my eyes bleed :). Too many regexp entries just make reading the code much harder, see how difficult is to find 'gpgcheck=1' in my initial regexp. It would be better to get the gpgcheck value (for example using parse_config), and check if it is in allowed value range, which is AFAIR 0 and 1.

@anniehedgpeth

This comment has been minimized.

Copy link
Owner

anniehedgpeth commented Aug 1, 2016

You definitely make a great point, @nvtkaszpir. It's tricky and may lead to false passes too often. I think my plan will be to persuade people to use the regex searches as a last resort after all other avenues are exhausted. Thanks for your help!

@nvtkaszpir nvtkaszpir closed this Mar 23, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment