mirror of
https://github.com/inspec/inspec
synced 2024-11-26 06:30:26 +00:00
fix: Missing regular expression anchor (#7077)
Signed-off-by: Sonu Saha <sonu.saha@progress.com>
This commit is contained in:
parent
0fd3714229
commit
8ea98d2a18
1 changed files with 5 additions and 1 deletions
|
@ -189,7 +189,11 @@ module Inspec
|
||||||
def parse_cli_input_value(input_name, given_value)
|
def parse_cli_input_value(input_name, given_value)
|
||||||
value = given_value.chomp(",") # Trim trailing comma if any
|
value = given_value.chomp(",") # Trim trailing comma if any
|
||||||
case value
|
case value
|
||||||
when /^true|false$/i
|
# Changed regex to use \A and \z instead of ^ and $ for stricter start and end of string matching.
|
||||||
|
# This prevents potential bypass issues with multi-line input and ensures the entire string
|
||||||
|
# is exactly "true" or "false", enhancing security when dealing with untrusted input.
|
||||||
|
# Issue detected here: https://github.com/inspec/inspec/security/code-scanning/41
|
||||||
|
when /\A(true|false)\z/i
|
||||||
value = !!(value =~ /true/i)
|
value = !!(value =~ /true/i)
|
||||||
when /^-?\d+$/
|
when /^-?\d+$/
|
||||||
value = value.to_i
|
value = value.to_i
|
||||||
|
|
Loading…
Reference in a new issue