From 2a34e8be6df871a14db517210cb2b94cbd1d4d64 Mon Sep 17 00:00:00 2001 From: Emi Matchu Date: Fri, 28 Jun 2024 01:32:15 -0700 Subject: [PATCH] Oops, fix regex patterns to use `\A` to `\z` instead of `^` to `$` Oh huh, TIL in Ruby `^` *always* means "start of line", whereas in many languages' regular expression engines it means "start of string" unless you enable a special multiline flag for the pattern. I've fixed this in a number of expressions now! I'm noticing this in the context of doing some security training work where this the cause of a sample vulnerability, but, looking at our own case, I don't think there was anything *abusable* here? But this is just more correct, so let's be more correct! --- app/helpers/items_helper.rb | 4 ++-- app/models/item/dyeworks.rb | 4 ++-- app/models/item/search/query.rb | 6 +++--- app/models/outfit.rb | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/app/helpers/items_helper.rb b/app/helpers/items_helper.rb index ac714d7d..af12646b 100644 --- a/app/helpers/items_helper.rb +++ b/app/helpers/items_helper.rb @@ -157,7 +157,7 @@ module ItemsHelper end NC_TRADE_VALUE_ESTIMATE_PATTERN = %r{ - ^\s* + \A\s* (?: # Case 1: A single number (?[0-9]+) @@ -167,7 +167,7 @@ module ItemsHelper \p{Dash_Punctuation} (?[0-9]+) ) - \s*$ + \s*\z }x def nc_trade_value_is_estimate(nc_trade_value) nc_trade_value.value_text.match?(NC_TRADE_VALUE_ESTIMATE_PATTERN) diff --git a/app/models/item/dyeworks.rb b/app/models/item/dyeworks.rb index 5a458580..0178f9ab 100644 --- a/app/models/item/dyeworks.rb +++ b/app/models/item/dyeworks.rb @@ -88,13 +88,13 @@ class Item # the `dyeworks_base_item` relationship in the database; after that, we # just use whatever the database says. (This allows manual overrides!) DYEWORKS_NAME_PATTERN = %r{ - ^( + \A( # Most Dyeworks items have a colon in the name. Dyeworks\s+(?.+?:)\s*(?.+) | # But sometimes they omit it. If so, assume the first word is the color! Dyeworks\s+(?\S+)\s*(?.+) - )$ + )\z }x def inferred_dyeworks_base_item name_match = name.match(DYEWORKS_NAME_PATTERN) diff --git a/app/models/item/search/query.rb b/app/models/item/search/query.rb index 3a635ff4..5e46b23d 100644 --- a/app/models/item/search/query.rb +++ b/app/models/item/search/query.rb @@ -64,7 +64,7 @@ class Item when 'fits' # First, try the `fits:blue-acara` case. # NOTE: This will also work for `fits:"usuki girl-usul"`! - match = value.match(/^([^-]+)-([^-]+)$/) + match = value.match(/\A([^-]+)-([^-]+)\z/) if match.present? color_name, species_name = match.captures pet_type = load_pet_type_by_name(color_name, species_name) @@ -74,7 +74,7 @@ class Item end # Next, try the `fits:alt-style-87305` case. - match = value.match(/^alt-style-([0-9]+)$/) + match = value.match(/\Aalt-style-([0-9]+)\z/) if match.present? alt_style_id, = match.captures alt_style = load_alt_style_by_id(alt_style_id) @@ -85,7 +85,7 @@ class Item # Next, try the `fits:nostalgic-faerie-draik` case. # NOTE: This will also work for `fits:"nostalgic-usuki girl-usul"`! - match = value.match(/^([^-]+)-([^-]+)-([^-]+)$/) + match = value.match(/\A([^-]+)-([^-]+)-([^-]+)\z/) if match.present? series_name, color_name, species_name = match.captures alt_style = load_alt_style_by_name( diff --git a/app/models/outfit.rb b/app/models/outfit.rb index 3581fe1a..15b43e75 100644 --- a/app/models/outfit.rb +++ b/app/models/outfit.rb @@ -174,7 +174,7 @@ class Outfit < ApplicationRecord self.name.strip! # Get the base name of the provided name, without any "(1)" suffixes. - base_name = name.sub(/\s*\([0-9]+\)$/, '') + base_name = name.sub(/\s*\([0-9]+\)\z/, '') # Find the user's other outfits that start with the same base name, and get # *their* names, with whitespace stripped.