Oops, fix regex patterns to use \A to \z instead of ^ to $

Oh huh, TIL in Ruby `^` *always* means "start of line", whereas in many
languages' regular expression engines it means "start of string" unless
you enable a special multiline flag for the pattern.

I've fixed this in a number of expressions now!

I'm noticing this in the context of doing some security training work
where this the cause of a sample vulnerability, but, looking at our own
case, I don't think there was anything *abusable* here? But this is
just more correct, so let's be more correct!
This commit is contained in:
Emi Matchu 2024-06-28 01:32:15 -07:00
parent 5401ea984a
commit 2a34e8be6d
4 changed files with 8 additions and 8 deletions

View file

@ -157,7 +157,7 @@ module ItemsHelper
end end
NC_TRADE_VALUE_ESTIMATE_PATTERN = %r{ NC_TRADE_VALUE_ESTIMATE_PATTERN = %r{
^\s* \A\s*
(?: (?:
# Case 1: A single number # Case 1: A single number
(?<single>[0-9]+) (?<single>[0-9]+)
@ -167,7 +167,7 @@ module ItemsHelper
\p{Dash_Punctuation} \p{Dash_Punctuation}
(?<high>[0-9]+) (?<high>[0-9]+)
) )
\s*$ \s*\z
}x }x
def nc_trade_value_is_estimate(nc_trade_value) def nc_trade_value_is_estimate(nc_trade_value)
nc_trade_value.value_text.match?(NC_TRADE_VALUE_ESTIMATE_PATTERN) nc_trade_value.value_text.match?(NC_TRADE_VALUE_ESTIMATE_PATTERN)

View file

@ -88,13 +88,13 @@ class Item
# the `dyeworks_base_item` relationship in the database; after that, we # the `dyeworks_base_item` relationship in the database; after that, we
# just use whatever the database says. (This allows manual overrides!) # just use whatever the database says. (This allows manual overrides!)
DYEWORKS_NAME_PATTERN = %r{ DYEWORKS_NAME_PATTERN = %r{
^( \A(
# Most Dyeworks items have a colon in the name. # Most Dyeworks items have a colon in the name.
Dyeworks\s+(?<color>.+?:)\s*(?<base>.+) Dyeworks\s+(?<color>.+?:)\s*(?<base>.+)
| |
# But sometimes they omit it. If so, assume the first word is the color! # But sometimes they omit it. If so, assume the first word is the color!
Dyeworks\s+(?<color>\S+)\s*(?<base>.+) Dyeworks\s+(?<color>\S+)\s*(?<base>.+)
)$ )\z
}x }x
def inferred_dyeworks_base_item def inferred_dyeworks_base_item
name_match = name.match(DYEWORKS_NAME_PATTERN) name_match = name.match(DYEWORKS_NAME_PATTERN)

View file

@ -64,7 +64,7 @@ class Item
when 'fits' when 'fits'
# First, try the `fits:blue-acara` case. # First, try the `fits:blue-acara` case.
# NOTE: This will also work for `fits:"usuki girl-usul"`! # NOTE: This will also work for `fits:"usuki girl-usul"`!
match = value.match(/^([^-]+)-([^-]+)$/) match = value.match(/\A([^-]+)-([^-]+)\z/)
if match.present? if match.present?
color_name, species_name = match.captures color_name, species_name = match.captures
pet_type = load_pet_type_by_name(color_name, species_name) pet_type = load_pet_type_by_name(color_name, species_name)
@ -74,7 +74,7 @@ class Item
end end
# Next, try the `fits:alt-style-87305` case. # Next, try the `fits:alt-style-87305` case.
match = value.match(/^alt-style-([0-9]+)$/) match = value.match(/\Aalt-style-([0-9]+)\z/)
if match.present? if match.present?
alt_style_id, = match.captures alt_style_id, = match.captures
alt_style = load_alt_style_by_id(alt_style_id) alt_style = load_alt_style_by_id(alt_style_id)
@ -85,7 +85,7 @@ class Item
# Next, try the `fits:nostalgic-faerie-draik` case. # Next, try the `fits:nostalgic-faerie-draik` case.
# NOTE: This will also work for `fits:"nostalgic-usuki girl-usul"`! # NOTE: This will also work for `fits:"nostalgic-usuki girl-usul"`!
match = value.match(/^([^-]+)-([^-]+)-([^-]+)$/) match = value.match(/\A([^-]+)-([^-]+)-([^-]+)\z/)
if match.present? if match.present?
series_name, color_name, species_name = match.captures series_name, color_name, species_name = match.captures
alt_style = load_alt_style_by_name( alt_style = load_alt_style_by_name(

View file

@ -174,7 +174,7 @@ class Outfit < ApplicationRecord
self.name.strip! self.name.strip!
# Get the base name of the provided name, without any "(1)" suffixes. # Get the base name of the provided name, without any "(1)" suffixes.
base_name = name.sub(/\s*\([0-9]+\)$/, '') base_name = name.sub(/\s*\([0-9]+\)\z/, '')
# Find the user's other outfits that start with the same base name, and get # Find the user's other outfits that start with the same base name, and get
# *their* names, with whitespace stripped. # *their* names, with whitespace stripped.