The regexp example is dangerously permissive
jub0bs opened this issue ยท 4 comments
The documentation contains the following example:
plug Corsica, origins: ~r{^https?://(.*\.?)foo\.com$}
Presumably, it's designed to capture all Web origins whose host is exactly foo.com
or some direct subdomain of foo.com
(e.g. bar.foo.com
), and reject all other Web origins.
However, the backslashes don't get rendered in the generated documentation:
plug Corsica, origins: ~r{^https?://(.*.?)foo.com$}
This may mislead users into thinking that such a regexp is safe, but it's too permissive: it indeed matches Web origins like https://attacker-foo.com
. You should make sure that backslashes are retained in the generated doc.
Actually, even if the backslashes are retained, the regexp remains too permissive. Because the ?
only applies to the literal .
, the regexp still matches Web origins like https://attacker-foo.com
. Instead, it should probably be
plug Corsica, origins: ~r{^https?://(.*\.)?foo\.com$}
(Note that the second ?
now applies to the capturing group rather than just the literal .
.)
Nice yep! To make this render correctly we just need to turn """
into ~S"""
at the start of the module doc. @jub0bs would you be able to send a PR? ๐
@whatyouhide I'm hesitant to contribute a PR, as I'm not well-versed in Elixir. I just wanted to highlight the issue. ๐
@whatyouhide Fast turnaround! ๐ช