rspec/rules/S6393/php/rule.adoc

75 lines
2.2 KiB
Plaintext
Raw Normal View History

== Why is this an issue?
Regular expressions are patterns used to match and manipulate strings based on specific rules.
The pattern provided to PHP regular expression functions is required to be enclosed in valid delimiters to be working correctly.
=== What is the potential impact?
Failing to enclose the pattern with valid delimiters will result in a PHP warning and the pattern never matching.
Since the warning only appears during runtime when the pattern is evaluated, such a mistake risks to get unnoticed into production.
The use of suppressed warnings in PHP can further complicate this issue.
As regex pattern are often used for validation or sanitization, the suppress warnings feature can obscure any problems regarding incorrect patterns.
As the incorrect patterns are not recognized and have no effect, this could lead to more serious security issues.
== How to fix it in Core PHP
The provided pattern should be enclosed in valid delimiters.
A delimiter can be any character that is not alphanumeric, a backslash, or a whitespace.
Bracket style delimiters are also allowed.
Further information about possible delimiters can be found in the provided resources.
=== Code examples
==== Noncompliant code example
[source,php,diff-id=1,diff-type=noncompliant]
----
// Condition will always evaluate to false
if (preg_match("/.*", $input)) {
echo "true";
} else {
echo "false";
}
// Unclosed bracket delimiters
$result = preg_match("[abc", $input);
----
==== Compliant solution
[source,php,diff-id=1,diff-type=compliant]
----
if (preg_match("/.*/", $input)) {
echo "true";
} else {
echo "false";
}
$result = preg_match("[abc]", $input);
----
== Resources
* https://www.php.net/manual/en/regexp.reference.delimiters.php[Delimiters] - PHP Documentation
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* In case there is no opening delimiter: Add delimiters to this regular expression.
* In case there is no closing delimiter (x being the appropriate end delimiter): Add the missing "x" delimiter to this regular expression.
=== Highlighting
The string representing the regular expression.
endif::env-github,rspecator-view[]