From 811c175556b50a731782825e6d9f4d37e635b91a Mon Sep 17 00:00:00 2001
From: erik-krogh
Date: Mon, 15 Apr 2024 16:31:14 +0200
Subject: [PATCH] add example for domain names with sub-domains to
missing-regexp-anchor
---
.../CWE-020/MissingRegexpAnchor.qhelp | 6 ++++++
.../CWE-020/MissingRegexpAnchorGoodDomain.go | 20 +++++++++++++++++++
2 files changed, 26 insertions(+)
create mode 100644 go/ql/src/Security/CWE-020/MissingRegexpAnchorGoodDomain.go
diff --git a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp
index df238e10ee6d..cac3c7268c78 100644
--- a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp
+++ b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp
@@ -45,6 +45,12 @@ one of the alternatives. As an example, the regular expression
(^www\.example\.com)|(beta\.example\.com)/
, so the second alternative
beta\.example\.com
is not anchored at the beginning of the string.
+
+
+When checking for a domain name with subdomains, it is important to anchor the regular expression
+or ensure that the domain name is prefixed with a dot.
+
+
diff --git a/go/ql/src/Security/CWE-020/MissingRegexpAnchorGoodDomain.go b/go/ql/src/Security/CWE-020/MissingRegexpAnchorGoodDomain.go
new file mode 100644
index 000000000000..6e5ec1b24dc6
--- /dev/null
+++ b/go/ql/src/Security/CWE-020/MissingRegexpAnchorGoodDomain.go
@@ -0,0 +1,20 @@
+package main
+
+import (
+ "regexp"
+)
+
+func checkSubdomain(domain String) {
+ // Checking strictly that the domain is `example.com`.
+ re := "^example\\.com$"
+ if matched, _ := regexp.MatchString(re, domain); matched {
+ // domain is good.
+ }
+
+ // GOOD: Alternatively, check the domain is `example.com` or a subdomain of `example.com`.
+ re2 := "(^|\\.)example\\.com$"
+
+ if matched, _ := regexp.MatchString(re2, domain); matched {
+ // domain is good.
+ }
+}