Format Validation

ruby.checkvalidationregex

Severity

low

Resource

Format Validation

Language

Ruby

Description

Calls to validates_format_of …, :with ⇒ // which do not use \A and \z as anchors will cause this warning. Using ^ and $ is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.

See the Ruby Security Guide for details.

Rationale

Report uses of validates_format_of with improper anchors

Remediation

Follow secure coding practices for Ruby on Rails applications. Review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

Brakeman Warning Types