line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Perl::Critic::Policy::RegularExpressions::RequireDefault; |
2
|
|
|
|
|
|
|
|
3
|
2
|
|
|
2
|
|
1652
|
use 5.006001; |
|
2
|
|
|
|
|
9
|
|
4
|
2
|
|
|
2
|
|
11
|
use strict; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
43
|
|
5
|
2
|
|
|
2
|
|
14
|
use warnings; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
61
|
|
6
|
2
|
|
|
2
|
|
1080
|
use Readonly; |
|
2
|
|
|
|
|
8034
|
|
|
2
|
|
|
|
|
118
|
|
7
|
|
|
|
|
|
|
|
8
|
2
|
|
|
2
|
|
1395
|
use Perl::Critic::Utils qw{ :severities }; |
|
2
|
|
|
|
|
247105
|
|
|
2
|
|
|
|
|
42
|
|
9
|
|
|
|
|
|
|
|
10
|
2
|
|
|
2
|
|
1610
|
use base 'Perl::Critic::Policy'; |
|
2
|
|
|
|
|
5
|
|
|
2
|
|
|
|
|
1255
|
|
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
our $VERSION = '2.00'; # VERSION: generated by DZP::OurPkgVersion |
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
#----------------------------------------------------------------------------- |
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
Readonly::Scalar my $DESC => q{Regular expression without "/a" or "/aa" flag}; |
17
|
|
|
|
|
|
|
Readonly::Scalar my $EXPL => q{Use regular expression "/a" or "/aa" flag}; |
18
|
|
|
|
|
|
|
Readonly::Scalar my $TRUE => 1; |
19
|
|
|
|
|
|
|
Readonly::Scalar my $FALSE => 0; |
20
|
|
|
|
|
|
|
|
21
|
|
|
|
|
|
|
#----------------------------------------------------------------------------- |
22
|
|
|
|
|
|
|
|
23
|
3
|
|
|
3
|
1
|
47
|
sub default_severity { return $SEVERITY_MEDIUM } |
24
|
0
|
|
|
0
|
1
|
0
|
sub default_themes { return qw< security > } |
25
|
|
|
|
|
|
|
|
26
|
|
|
|
|
|
|
sub applies_to { |
27
|
13
|
|
|
13
|
1
|
106031
|
return qw< |
28
|
|
|
|
|
|
|
PPI::Token::Regexp::Match |
29
|
|
|
|
|
|
|
PPI::Token::Regexp::Substitute |
30
|
|
|
|
|
|
|
PPI::Token::QuoteLike::Regexp |
31
|
|
|
|
|
|
|
PPI::Statement::Include |
32
|
|
|
|
|
|
|
>; |
33
|
|
|
|
|
|
|
} |
34
|
|
|
|
|
|
|
|
35
|
|
|
|
|
|
|
#----------------------------------------------------------------------------- |
36
|
|
|
|
|
|
|
|
37
|
|
|
|
|
|
|
sub violates { |
38
|
19
|
|
|
19
|
1
|
871
|
my ( $self, $elem, $doc ) = @_; |
39
|
|
|
|
|
|
|
|
40
|
19
|
50
|
|
|
|
58
|
if ( $self->_pragma_enabled($elem) ) { |
41
|
0
|
|
|
|
|
0
|
return; # ok!; |
42
|
|
|
|
|
|
|
} |
43
|
|
|
|
|
|
|
|
44
|
19
|
100
|
|
|
|
67
|
my $re = $doc->ppix_regexp_from_element($elem) |
45
|
|
|
|
|
|
|
or return; |
46
|
|
|
|
|
|
|
|
47
|
13
|
100
|
|
|
|
47831
|
if ( not $self->_allowed_modifier($re)) { |
48
|
3
|
|
|
|
|
19
|
return $self->violation( $DESC, $EXPL, $elem ); |
49
|
|
|
|
|
|
|
} |
50
|
|
|
|
|
|
|
|
51
|
10
|
|
|
|
|
34
|
return; # ok!; |
52
|
|
|
|
|
|
|
} |
53
|
|
|
|
|
|
|
|
54
|
|
|
|
|
|
|
sub _allowed_modifier { |
55
|
13
|
|
|
13
|
|
40
|
my ( $self, $re ) = @_; |
56
|
|
|
|
|
|
|
|
57
|
13
|
100
|
100
|
|
|
51
|
if ( $re->modifier_asserted('a') and not $self->{_strict} ) { |
58
|
4
|
|
|
|
|
102
|
return $TRUE; |
59
|
|
|
|
|
|
|
} |
60
|
|
|
|
|
|
|
|
61
|
9
|
100
|
|
|
|
229
|
if ( $re->modifier_asserted('aa') ) { |
62
|
6
|
|
|
|
|
116
|
return $TRUE; |
63
|
|
|
|
|
|
|
} |
64
|
|
|
|
|
|
|
|
65
|
3
|
|
|
|
|
56
|
return $FALSE; |
66
|
|
|
|
|
|
|
} |
67
|
|
|
|
|
|
|
|
68
|
|
|
|
|
|
|
|
69
|
|
|
|
|
|
|
sub _correct_modifier { |
70
|
6
|
|
|
6
|
|
404
|
my ( $self, $elem ) = @_; |
71
|
|
|
|
|
|
|
|
72
|
6
|
50
|
33
|
|
|
23
|
if ( $elem->arguments eq 'a' and not $self->{_strict} ) { |
73
|
0
|
|
|
|
|
0
|
return $TRUE; |
74
|
|
|
|
|
|
|
} |
75
|
|
|
|
|
|
|
|
76
|
6
|
50
|
|
|
|
238
|
if ( $elem->arguments eq 'aa' ) { |
77
|
0
|
|
|
|
|
0
|
return $TRUE; |
78
|
|
|
|
|
|
|
} |
79
|
|
|
|
|
|
|
|
80
|
6
|
|
|
|
|
211
|
return $FALSE; |
81
|
|
|
|
|
|
|
} |
82
|
|
|
|
|
|
|
|
83
|
|
|
|
|
|
|
sub _pragma_enabled { |
84
|
19
|
|
|
19
|
|
44
|
my ( $self, $elem ) = @_; |
85
|
|
|
|
|
|
|
|
86
|
19
|
50
|
66
|
|
|
135
|
if ( $elem->can('type') |
|
|
|
66
|
|
|
|
|
|
|
|
33
|
|
|
|
|
87
|
|
|
|
|
|
|
and $elem->type() eq 'use' |
88
|
|
|
|
|
|
|
and $elem->pragma() eq 're' |
89
|
|
|
|
|
|
|
and $self->_correct_modifier($elem) ) |
90
|
|
|
|
|
|
|
{ |
91
|
0
|
|
|
|
|
0
|
return $TRUE; |
92
|
|
|
|
|
|
|
} |
93
|
|
|
|
|
|
|
|
94
|
19
|
|
|
|
|
64
|
return $FALSE; |
95
|
|
|
|
|
|
|
} |
96
|
|
|
|
|
|
|
|
97
|
|
|
|
|
|
|
sub initialize_if_enabled { |
98
|
3
|
|
|
3
|
1
|
2062198
|
my ( $self, $config ) = @_; |
99
|
|
|
|
|
|
|
|
100
|
3
|
|
100
|
|
|
16
|
$self->{_strict} = $config->get('strict') || 0; |
101
|
|
|
|
|
|
|
|
102
|
3
|
|
|
|
|
48
|
return $TRUE; |
103
|
|
|
|
|
|
|
} |
104
|
|
|
|
|
|
|
|
105
|
|
|
|
|
|
|
1; |
106
|
|
|
|
|
|
|
|
107
|
|
|
|
|
|
|
__END__ |
108
|
|
|
|
|
|
|
|
109
|
|
|
|
|
|
|
=pod |
110
|
|
|
|
|
|
|
|
111
|
|
|
|
|
|
|
=head1 NAME |
112
|
|
|
|
|
|
|
|
113
|
|
|
|
|
|
|
Perl::Critic::Policy::RegularExpressions::RequireDefault - Always use the C</a> or C</aa> modifier with regular expressions. |
114
|
|
|
|
|
|
|
|
115
|
|
|
|
|
|
|
=head1 VERSION |
116
|
|
|
|
|
|
|
|
117
|
|
|
|
|
|
|
This documentation describes version 2.00 |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
=head1 AFFILIATION |
120
|
|
|
|
|
|
|
|
121
|
|
|
|
|
|
|
This policy has no affiliation |
122
|
|
|
|
|
|
|
|
123
|
|
|
|
|
|
|
=head1 DESCRIPTION |
124
|
|
|
|
|
|
|
|
125
|
|
|
|
|
|
|
This policy aims to help enforce Perl's protective measures against security vulnerabilities related to Unicode, such as: |
126
|
|
|
|
|
|
|
|
127
|
|
|
|
|
|
|
=over |
128
|
|
|
|
|
|
|
|
129
|
|
|
|
|
|
|
=item * Visual Spoofing |
130
|
|
|
|
|
|
|
|
131
|
|
|
|
|
|
|
=item * Character and String Transformation Vulnerabilities |
132
|
|
|
|
|
|
|
|
133
|
|
|
|
|
|
|
=back |
134
|
|
|
|
|
|
|
|
135
|
|
|
|
|
|
|
The C</a> and C</aa> modifiers standing for ASCII-restrict or ASCII-safe, provides protection for applications that do not need to be exposed to all of Unicode and possible security issues with Unicode. |
136
|
|
|
|
|
|
|
|
137
|
|
|
|
|
|
|
C</a> causes the sequences C<\d>, C<\s>, C<\w>, and the Posix character classes to match only in the ASCII range. Meaning: |
138
|
|
|
|
|
|
|
|
139
|
|
|
|
|
|
|
=over |
140
|
|
|
|
|
|
|
|
141
|
|
|
|
|
|
|
=item * C<\d> means the digits C<0> to C<9> |
142
|
|
|
|
|
|
|
|
143
|
|
|
|
|
|
|
my $ascii_letters =~ m/[A-Z]*/i; # not ok |
144
|
|
|
|
|
|
|
my $ascii_letters =~ m/[A-Z]*/a; # ok |
145
|
|
|
|
|
|
|
my $ascii_letters =~ m/[A-Z]*/aa; # ok |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
=item * C<\s> means the five characters C<[ \f\n\r\t]>, and starting in Perl v5.18, also the vertical tab |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
my $characters =~ m/[ \f\n\r\t]*/; # not ok |
150
|
|
|
|
|
|
|
my $characters =~ m/[ \f\n\r\t]*/a; # ok |
151
|
|
|
|
|
|
|
my $characters =~ m/[ \f\n\r\t]*/aa; # ok |
152
|
|
|
|
|
|
|
|
153
|
|
|
|
|
|
|
=item * C<\w> means the 63 characters C<[A-Za-z0-9_]> and all the Posix classes such as C<[[:print:]]> match only the appropriate ASCII-range characters |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
my $letters =~ m/[A-Za-z0-9_]*/; # not ok |
156
|
|
|
|
|
|
|
my $letters =~ m/[A-Za-z0-9_]*/a; # ok |
157
|
|
|
|
|
|
|
my $letters =~ m/[A-Za-z0-9_]*/aa; # ok |
158
|
|
|
|
|
|
|
|
159
|
|
|
|
|
|
|
=back |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
The policy also supports the pragma: |
162
|
|
|
|
|
|
|
|
163
|
|
|
|
|
|
|
use re 'a'; |
164
|
|
|
|
|
|
|
|
165
|
|
|
|
|
|
|
and: |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
use re 'aa'; |
168
|
|
|
|
|
|
|
|
169
|
|
|
|
|
|
|
Which mean it will not evaluate the regular expressions any further: |
170
|
|
|
|
|
|
|
|
171
|
|
|
|
|
|
|
use re 'a'; |
172
|
|
|
|
|
|
|
my $letters =~ m/[A-Za-z0-9_]*/; # ok |
173
|
|
|
|
|
|
|
|
174
|
|
|
|
|
|
|
Do note that the C</a> and C</aa> modifiers require Perl 5.14, so by using the recommended modifiers you indirectly introduct a requirement for Perl 5.14. |
175
|
|
|
|
|
|
|
|
176
|
|
|
|
|
|
|
This policy is inspired by L<Perl::Critic::Policy::RegularExpressions::RequireExtendedFormatting|https://metacpan.org/pod/Perl::Critic::Policy::RegularExpressions::RequireExtendedFormatting> and many implementation details was lifted from this particular distribution. |
177
|
|
|
|
|
|
|
|
178
|
|
|
|
|
|
|
=head1 CONFIGURATION AND ENVIRONMENT |
179
|
|
|
|
|
|
|
|
180
|
|
|
|
|
|
|
The policy has a single configuration parameter: C<strict>. The default is disabled (C<0>). |
181
|
|
|
|
|
|
|
|
182
|
|
|
|
|
|
|
The policy, if enabled, allow for both C<'a'> and C<'aa'>, if strict however is enabled, C<'a'> will trigger a violation and C<'aa'> will not. |
183
|
|
|
|
|
|
|
|
184
|
|
|
|
|
|
|
Example configuration: |
185
|
|
|
|
|
|
|
|
186
|
|
|
|
|
|
|
[RegularExpressions::RequireDefault] |
187
|
|
|
|
|
|
|
strict = 1 |
188
|
|
|
|
|
|
|
|
189
|
|
|
|
|
|
|
Do note that the policy also evaluates if the pragmas are enabled, meaning: C<use re 'a';> will trigger a violation and C<use re 'a';> will not if the policy is configured for strict evaluation. |
190
|
|
|
|
|
|
|
|
191
|
|
|
|
|
|
|
=head1 INCOMPATIBILITIES |
192
|
|
|
|
|
|
|
|
193
|
|
|
|
|
|
|
This distribution holds no known incompatibilities at this time, please see L</DEPENDENCIES AND REQUIREMENTS> for details on version requirements. |
194
|
|
|
|
|
|
|
|
195
|
|
|
|
|
|
|
=head1 BUGS AND LIMITATIONS |
196
|
|
|
|
|
|
|
|
197
|
|
|
|
|
|
|
=over |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
=item * The pragma handling does not take into consideration of a pragma is disabled. |
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
=item * The pragma handling does not take lexical scope into consideration properly and only detects the definition once |
202
|
|
|
|
|
|
|
|
203
|
|
|
|
|
|
|
=back |
204
|
|
|
|
|
|
|
|
205
|
|
|
|
|
|
|
This distribution holds no other known limitations or bugs at this time, please refer to the L<the issue listing on GitHub|https://github.com/jonasbn/perl-critic-policy-regularexpressions-requiredefault/issues> for more up to date information. |
206
|
|
|
|
|
|
|
|
207
|
|
|
|
|
|
|
=head1 BUG REPORTING |
208
|
|
|
|
|
|
|
|
209
|
|
|
|
|
|
|
Please report bugs via L<GitHub|https://github.com/jonasbn/perl-critic-policy-regularexpressions-requiredefault/issues>. |
210
|
|
|
|
|
|
|
|
211
|
|
|
|
|
|
|
=head1 TEST AND QUALITY |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
This distribution aims to adhere to the Perl::Critic::Policy standards and Perl best practices and recommendations. |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
=head1 DEPENDENCIES AND REQUIREMENTS |
216
|
|
|
|
|
|
|
|
217
|
|
|
|
|
|
|
This distribution requires: |
218
|
|
|
|
|
|
|
|
219
|
|
|
|
|
|
|
=over |
220
|
|
|
|
|
|
|
|
221
|
|
|
|
|
|
|
=item * L<Perl 5.14|https://metacpan.org/pod/release/JESSE/perl-5.14.0/pod/perl.pod>, released 2011-05-14 |
222
|
|
|
|
|
|
|
|
223
|
|
|
|
|
|
|
=item * L<Carp|https://metacpan.org/pod/Carp>, in core since Perl 5. |
224
|
|
|
|
|
|
|
|
225
|
|
|
|
|
|
|
=item * L<Readonly|https://metacpan.org/pod/Readonly> |
226
|
|
|
|
|
|
|
|
227
|
|
|
|
|
|
|
=item * L<Perl::Critic::Policy|https://metacpan.org/pod/Perl::Critic::Policy> |
228
|
|
|
|
|
|
|
|
229
|
|
|
|
|
|
|
=item * L<Perl::Critic::Utils|https://metacpan.org/pod/Perl::Critic::Utils> |
230
|
|
|
|
|
|
|
|
231
|
|
|
|
|
|
|
=back |
232
|
|
|
|
|
|
|
|
233
|
|
|
|
|
|
|
Please see the listing in the file: F<cpanfile>, included with the distribution for a complete listing and description for configuration, test and development. |
234
|
|
|
|
|
|
|
|
235
|
|
|
|
|
|
|
=head1 TODO |
236
|
|
|
|
|
|
|
|
237
|
|
|
|
|
|
|
Ideas and suggestions for improvements and new features are listed in GitHub and are marked as C<enhancement>. |
238
|
|
|
|
|
|
|
|
239
|
|
|
|
|
|
|
=over |
240
|
|
|
|
|
|
|
|
241
|
|
|
|
|
|
|
=item * Please see L<the issue listing on GitHub|https://github.com/jonasbn/perl-critic-policy-regularexpressions-requiredefault/issues> |
242
|
|
|
|
|
|
|
|
243
|
|
|
|
|
|
|
=back |
244
|
|
|
|
|
|
|
|
245
|
|
|
|
|
|
|
=head1 SEE ALSO |
246
|
|
|
|
|
|
|
|
247
|
|
|
|
|
|
|
=over |
248
|
|
|
|
|
|
|
|
249
|
|
|
|
|
|
|
=item * L<Perl regular expression documentation: perlre|https://perldoc.perl.org/perlre.html> |
250
|
|
|
|
|
|
|
|
251
|
|
|
|
|
|
|
=item * L<Perl delta file describing introduction of modifiers in Perl 5.14|https://perldoc.pl/perl5140delta#%2Fd%2C-%2Fl%2C-%2Fu%2C-and-%2Fa-modifiers> |
252
|
|
|
|
|
|
|
|
253
|
|
|
|
|
|
|
=item * L<Unicode Security Issues FAQ|http://www.unicode.org/faq/security.html> |
254
|
|
|
|
|
|
|
|
255
|
|
|
|
|
|
|
=item * L<Unicode Security Guide|http://websec.github.io/unicode-security-guide/> |
256
|
|
|
|
|
|
|
|
257
|
|
|
|
|
|
|
=item * L<Presentation: "Unicode Transformations: Finding Elusive Vulnerabilities" by Chris Weber for OWASP AppSecDC November 2009|https://www.owasp.org/images/5/5a/Unicode_Transformations_Finding_Elusive_Vulnerabilities-Chris_Weber.pdf|> |
258
|
|
|
|
|
|
|
|
259
|
|
|
|
|
|
|
=item * L<Perl::Critic|https://metacpan.org/pod/Perl::Critic> |
260
|
|
|
|
|
|
|
|
261
|
|
|
|
|
|
|
=item * L<Perl::Critic::Policy::RegularExpressions::RequireExtendedFormatting|https://metacpan.org/pod/Perl::Critic::Policy::RegularExpressions::RequireExtendedFormatting> |
262
|
|
|
|
|
|
|
|
263
|
|
|
|
|
|
|
=back |
264
|
|
|
|
|
|
|
|
265
|
|
|
|
|
|
|
=head1 MOTIVATION |
266
|
|
|
|
|
|
|
|
267
|
|
|
|
|
|
|
The motivation for this Perl::Critic policy came from a L<tweet|https://twitter.com/jmaslak/status/1008896883169751040> by L<@joel|https://twitter.com/jmaslak> |
268
|
|
|
|
|
|
|
|
269
|
|
|
|
|
|
|
| Perl folk: Looking for a PR challenge task? Check for \d in regexes |
270
|
|
|
|
|
|
|
| that really should be [0-9] or should have the /a regex modifier. |
271
|
|
|
|
|
|
|
| Perl is multinational by default! #TPCiSLC |
272
|
|
|
|
|
|
|
|
273
|
|
|
|
|
|
|
=head1 AUTHOR |
274
|
|
|
|
|
|
|
|
275
|
|
|
|
|
|
|
=over |
276
|
|
|
|
|
|
|
|
277
|
|
|
|
|
|
|
=item * jonasbn <jonasbn@cpan.org> |
278
|
|
|
|
|
|
|
|
279
|
|
|
|
|
|
|
=back |
280
|
|
|
|
|
|
|
|
281
|
|
|
|
|
|
|
=head1 ACKNOWLEDGEMENTS |
282
|
|
|
|
|
|
|
|
283
|
|
|
|
|
|
|
=over |
284
|
|
|
|
|
|
|
|
285
|
|
|
|
|
|
|
=item * L<Joelle Maslak (@joel)|https://twitter.com/jmaslak> / L<JMASLAK|https://metacpan.org/author/JMASLAK> for the initial idea, see link to original tweet under L</MOTIVATION> |
286
|
|
|
|
|
|
|
|
287
|
|
|
|
|
|
|
=item * L<Dan Book (@Grinnz)|https://github.com/Grinnz> / L<DBOOK|https://metacpan.org/author/DBOOK|> for information on Pragma and requirement for Perl 5.14, when using the modifiers handled and mentioned by this policy |
288
|
|
|
|
|
|
|
|
289
|
|
|
|
|
|
|
=back |
290
|
|
|
|
|
|
|
|
291
|
|
|
|
|
|
|
=head1 LICENSE AND COPYRIGHT |
292
|
|
|
|
|
|
|
|
293
|
|
|
|
|
|
|
Perl::Critic::Policy::RegularExpressions::RequireDefault is (C) by jonasbn 2018-2019 |
294
|
|
|
|
|
|
|
|
295
|
|
|
|
|
|
|
Perl::Critic::Policy::RegularExpressions::RequireDefault is released under the Artistic License 2.0 |
296
|
|
|
|
|
|
|
|
297
|
|
|
|
|
|
|
Please see the LICENSE file included with the distribution of this module |
298
|
|
|
|
|
|
|
|
299
|
|
|
|
|
|
|
=cut |