-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discourage unsafe regex #86
Comments
I can confirm that this is a common issue. Found exactly the same problem as reported by @stefansundin while performing a security assessment for an important tech company. |
Indeed, the issue is bigger than I originally thought because Because it is so widespread, I actually think it might be prudent to add the start and end tags automatically, optionally disabling this behavior with an option. |
👏 |
Build regex with end string anchor when string is used to configure origin [Fixes #86]
@stefansundin I'm reluctant to add the It just occurred to me though that what I can do is detect the presence of |
Wonderful! |
Hi.
So I noticed that the regex we used for a product wasn't that secure.
We used
origins(/https:\/\/example\.co/)
, but the problem with this regex is that it also allows example.com. So the simple fix is to add^
in the beginning and$
to the end.We actually just replaced the regex with a string, which fixed the issue for us, but for those that actually need a regex, I think it would be nice to explicitly mention to use the start and end tags in the README. Especially since most people probably just copy-paste and doesn't really think about what they are doing.
Also, the regex runs faster with a start boundary, even though it doesn't make it safer.
I think updating the example code with a regex to use
^
and$
might be enough. Maybe even mention it in the Origin section.Thanks!
The text was updated successfully, but these errors were encountered: