Export to GitHub

ruby-security - issue #11

Regular expression variables


Posted on Oct 23, 2012 by Quick Bird

An interesting feature of ruby is that certain regular expressions can modify and create new variables.

There are some restrictions which means it should rarely (never?) introduce a security risk.

"This assignment is implemented in the Ruby parser. The parser detects ‘regexp-literal =~ expression’ for the assignment. The regexp must be a literal without interpolation and placed at left hand side." - http://www.ruby-doc.org/core-1.9.3/Regexp.html

Example code:

somevar = 'before'

input = 'after' if /(?<somevar>.*)/ =~ input match = true end

puts somevar

Status: New

Labels:
Type-Defect Priority-Medium