False positive: Regex check

Question

False positive: Regex check

Closed this issue 8 years ago · 5 comments

The regex check falsely identifies the following regex builder as "non-static", which is correct but might be considered a false positive for dynamic regex patterns:

regexStringComment : String -> Regex
regexStringComment key =
    Regex.regex ("\\{-\\| ([^\\}]*)\\n-\\}\\n" ++ key ++ "\\s+:")

Answer 1 · 2017-03-29T12:11:00.000Z

I believe this is not a false positive: When regexStringComment "[+" is invoked you will get a runtime exception.

Answer 2 · 2017-03-29T12:22:18.000Z

Ok, then I misread the analyser warning. I thought the issue is about performance not safety. Maybe there should be two different warnings: one if regex is used without static where the pattern is not dynamic and another warning about potential sanitization issues.

Answer 3 · 2017-03-29T12:38:02.000Z

Check. Good point. Can you create a new issue for the potential sanitisation?

Answer 4 · 2017-03-29T12:42:22.000Z

Not really clear how you would check that the string is correctly sanitized.

Answer 5 · 2017-04-10T14:15:11.000Z

I'll think about this. Should be possible to check this. I'll close this ticket though.