fix: Missing regular expression anchor (#7077)

Signed-off-by: Sonu Saha <sonu.saha@progress.com>
This commit is contained in:
Sonu Saha 2024-07-10 16:46:12 +05:30 committed by GitHub
parent 0fd3714229
commit 8ea98d2a18
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -189,7 +189,11 @@ module Inspec
def parse_cli_input_value(input_name, given_value)
value = given_value.chomp(",") # Trim trailing comma if any
case value
when /^true|false$/i
# Changed regex to use \A and \z instead of ^ and $ for stricter start and end of string matching.
# This prevents potential bypass issues with multi-line input and ensures the entire string
# is exactly "true" or "false", enhancing security when dealing with untrusted input.
# Issue detected here: https://github.com/inspec/inspec/security/code-scanning/41
when /\A(true|false)\z/i
value = !!(value =~ /true/i)
when /^-?\d+$/
value = value.to_i