mirror of
https://github.com/inspec/inspec
synced 2024-11-10 07:04:15 +00:00
fix: Missing regular expression anchor (#7077)
Signed-off-by: Sonu Saha <sonu.saha@progress.com>
This commit is contained in:
parent
0fd3714229
commit
8ea98d2a18
1 changed files with 5 additions and 1 deletions
|
@ -189,7 +189,11 @@ module Inspec
|
|||
def parse_cli_input_value(input_name, given_value)
|
||||
value = given_value.chomp(",") # Trim trailing comma if any
|
||||
case value
|
||||
when /^true|false$/i
|
||||
# Changed regex to use \A and \z instead of ^ and $ for stricter start and end of string matching.
|
||||
# This prevents potential bypass issues with multi-line input and ensures the entire string
|
||||
# is exactly "true" or "false", enhancing security when dealing with untrusted input.
|
||||
# Issue detected here: https://github.com/inspec/inspec/security/code-scanning/41
|
||||
when /\A(true|false)\z/i
|
||||
value = !!(value =~ /true/i)
|
||||
when /^-?\d+$/
|
||||
value = value.to_i
|
||||
|
|
Loading…
Reference in a new issue