The dangers of single line regular expressions - eviltoast

The Neonify challenge on Hack The Box is a small Sinatra(a Ruby web framework) app, that generates a glowing text of the submitted value:

  • czan@aussie.zone
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    Another application of Parse, don’t validate. The vulnerability isn’t really about the single-line regex, it’s that the validation doesn’t match the use. If the regex extracted (read: parsed) the valid bit with a group, then passed that through, it would be fine.

    • DaleGribble88@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      7 months ago

      Holy cow! What an absolute slog of a read. I’m not an AI model, but I’ll do my best to summarize that link:

      [When writing code that works with non-trivial and null-able data types,] use a data structure that makes illegal states unrepresentable. Model your data using the most precise data structure you reasonably can[, …] as quickly as you can. [W]rite functions on the data representation you wish you had, not the data representation you are given. The design process then becomes an exercise in bridging the gap.

      There. Hopefully someone out there learned something cool without having to read a 25-minute striptease before the author rushes through their main idea in the span of two bullet points found in the final 25% of the article.