Oops, fix regex patterns to use \A to \z instead of ^ to $

Oh huh, TIL in Ruby `^` *always* means "start of line", whereas in many languages' regular expression engines it means "start of string" unless you enable a special multiline flag for the pattern. I've fixed this in a number of expressions now! I'm noticing this in the context of doing some security training work where this the cause of a sample vulnerability, but, looking at our own case, I don't think there was anything *abusable* here? But this is just more correct, so let's be more correct!
2024-06-28 01:32:15 -07:00 · 2024-06-28 01:32:15 -07:00 · 2a34e8be6d
commit 2a34e8be6d
parent 5401ea984a
4 changed files with 8 additions and 8 deletions
--- a/app/helpers/items_helper.rb
+++ b/app/helpers/items_helper.rb
@ -157,7 +157,7 @@ module ItemsHelper
  end

  NC_TRADE_VALUE_ESTIMATE_PATTERN = %r{
-    ^\s*
+    \A\s*
    (?:
      # Case 1: A single number
      (?<single>[0-9]+)
@ -167,7 +167,7 @@ module ItemsHelper
      \p{Dash_Punctuation}
      (?<high>[0-9]+)
    )
-    \s*$
+    \s*\z
  }x
  def nc_trade_value_is_estimate(nc_trade_value)
    nc_trade_value.value_text.match?(NC_TRADE_VALUE_ESTIMATE_PATTERN)
--- a/app/models/item/dyeworks.rb
+++ b/app/models/item/dyeworks.rb
@ -88,13 +88,13 @@ class Item
 		# the `dyeworks_base_item` relationship in the database; after that, we
 		# just use whatever the database says. (This allows manual overrides!)
 		DYEWORKS_NAME_PATTERN = %r{
-			^(
+			\A(
 				# Most Dyeworks items have a colon in the name.
 				Dyeworks\s+(?<color>.+?:)\s*(?<base>.+)
 				|
 				# But sometimes they omit it. If so, assume the first word is the color!
 				Dyeworks\s+(?<color>\S+)\s*(?<base>.+)
-			)$
+			)\z
 		}x
 		def inferred_dyeworks_base_item
 			name_match = name.match(DYEWORKS_NAME_PATTERN)
--- a/app/models/item/search/query.rb
+++ b/app/models/item/search/query.rb
@ -64,7 +64,7 @@ class Item
        when 'fits'
          # First, try the `fits:blue-acara` case.
          # NOTE: This will also work for `fits:"usuki girl-usul"`!
-          match = value.match(/^([^-]+)-([^-]+)$/)
+          match = value.match(/\A([^-]+)-([^-]+)\z/)
          if match.present?
            color_name, species_name = match.captures
            pet_type = load_pet_type_by_name(color_name, species_name)
@ -74,7 +74,7 @@ class Item
          end

          # Next, try the `fits:alt-style-87305` case.
-          match = value.match(/^alt-style-([0-9]+)$/)
+          match = value.match(/\Aalt-style-([0-9]+)\z/)
          if match.present?
            alt_style_id, = match.captures
            alt_style = load_alt_style_by_id(alt_style_id)
@ -85,7 +85,7 @@ class Item

          # Next, try the `fits:nostalgic-faerie-draik` case.
          # NOTE: This will also work for `fits:"nostalgic-usuki girl-usul"`!
-          match = value.match(/^([^-]+)-([^-]+)-([^-]+)$/)
+          match = value.match(/\A([^-]+)-([^-]+)-([^-]+)\z/)
          if match.present?
            series_name, color_name, species_name = match.captures
            alt_style = load_alt_style_by_name(
--- a/app/models/outfit.rb
+++ b/app/models/outfit.rb
@ -174,7 +174,7 @@ class Outfit < ApplicationRecord
    self.name.strip!

    # Get the base name of the provided name, without any "(1)" suffixes.
-    base_name = name.sub(/\s*\([0-9]+\)$/, '')
+    base_name = name.sub(/\s*\([0-9]+\)\z/, '')

    # Find the user's other outfits that start with the same base name, and get
    # *their* names, with whitespace stripped.