The regexp example is dangerously permissive

Question

The regexp example is dangerously permissive

jub0bs opened this issue a year ago · 4 comments

The documentation contains the following example:

plug Corsica, origins: ~r{^https?://(.*\.?)foo\.com$}

Presumably, it's designed to capture all Web origins whose host is exactly foo.com or some direct subdomain of foo.com (e.g. bar.foo.com), and reject all other Web origins.

However, the backslashes don't get rendered in the generated documentation:

plug Corsica, origins: ~r{^https?://(.*.?)foo.com$}

This may mislead users into thinking that such a regexp is safe, but it's too permissive: it indeed matches Web origins like https://attacker-foo.com. You should make sure that backslashes are retained in the generated doc.

Actually, even if the backslashes are retained, the regexp remains too permissive. Because the ? only applies to the literal ., the regexp still matches Web origins like https://attacker-foo.com. Instead, it should probably be

plug Corsica, origins: ~r{^https?://(.*\.)?foo\.com$}

(Note that the second ? now applies to the capturing group rather than just the literal ..)

Answer 1 · 2023-10-27T21:50:56.000Z

Related: #49

Answer 2 · 2023-10-28T07:16:29.000Z

Nice yep! To make this render correctly we just need to turn """ into ~S""" at the start of the module doc. @jub0bs would you be able to send a PR? 🙃

Answer 3 · 2023-10-28T07:20:13.000Z

@whatyouhide I'm hesitant to contribute a PR, as I'm not well-versed in Elixir. I just wanted to highlight the issue. 😇

Answer 4 · 2023-10-28T10:37:38.000Z

@whatyouhide Fast turnaround! 💪