Anchoring in Regular Expression Checks

[knaveofdiamonds]

Not entirely sure if this is a bug/incomplete feature or not. In the Regular Expression checks, you're looking for \A and \Z to check that the validation is anchored correctly. Is it not equally valid to use '^' and '$' (which is what I'm doing, resulting in what might be false positives if my understanding is right)?

Happy to provide a patch to fix this if '^' and '$' should be allowed as well.

[presidentbeef]

Hi Roland, thanks for the feedback!

However, these are not false positives. Using ^ and $ is not sufficient, as they will match newlines. Once a newline is encountered, the pattern is matched, allowing an attacker to insert whatever they wish after that (or before, if ^ is used).

The Rails Security Guide has a good explanation of this issue.

[joealba]

In Ruby, the '$' serves as an end-of-line anchor, not end-of-string. Dan Kubb wrote a gist which describes this issue pretty well:

https://gist.github.com/1444431

[knaveofdiamonds]

Thanks for clearing that up.