Graham Sutherland / Polynomialprotip: ALWAYS use regular expression literals in JavaScript and TypeScript and any other language that supports it, instead of writing your regex out in a string. I cannot count how many critical security bugs I have found over the years from someone writing a regex like "^en\.wikipedia\.org$", which is incorrect because the \. is treated as *string* escape sequence (an invalid one that just produces .) which then results in the regex being "^en.wikipedia.org$" which matches "enowikipedia.org".
sid77@gsuberland Storytime!
I was once working in this Ruby on Rails shop, meh product but overall great people to work with.
One day I was reviewing the Brakeman configuration shipped with the code base and noticed that they turned on the “use double quotes everywhere” option.
Because this happened way earlier than my time there, I bought this up in the engineering slack channel, explaining exactly this corner case, and asking about what was the origin story for this choice. Mostly because Brakeman by default is smart enough to request single quotes when there’s risk of interpolation and preferring double quotes everywhere else.
The Beakeman config author came in very hot with an explanation that boiled down to “I wrote a blog post about the importance of unifying the coding style for readability and you should really go through it”.
Luckily enough, regexps weren’t really used across the code base: the most impactful place was during the deployment process when the homegrown deployment service needed to figure out what to do on different hosts based on their hostname. So, anyway, limited blast radius and all under engineering control.
Because of all of this, I chose this wasn’t an hill worth of dying on. I reiterated it was a slightly dangerous choice in the current status of the code base and moved along on more interesting and burning problems.
Fast forward three months later, many code changes and, if memory serves right, even a Ruby/Rails version upgrade. More regexps in the code base.
Things are getting wonky, the SREs are having trouble with deployments and no one understands why some core components are not behaving as expected.
Luckily we had paid support so they open a ticket with a sample of the puzzling code. The answer comes in quick and dry: “you are using double quotes, the string gets interpolated before being sent to the regexp handler” 😬.
The incident and the root cause are posted in the engineering slack channel for awareness.
I’m laughing my arse off and resurrecting the old thread from a few months back.
The Brakeman configuration author is fuming.
We change the option back to the original default.