Id match in firestore database rules - regex

I am working on my security rules, but when I try to match the document id with a regex, it doesn't work.
I tried to use the matches function, but it doesn't seem to accept the method.
Even when I tried using the Firebase pattern YYYY-MM-DD (/^(19|20)[0-9][0-9][-\\/. ](0[1-9]|1[012])[-\\/. ](0[1-9]|[12][0-9]|3[01])$/) from here, but it didn't work (I tried with 1950-01-01).
I am trying to check roomId for this pattern (/^(\\d){6,}#[a-zA-Z0-9]{65,}$/)
Edit: I tried removing the " " around the regex but it gives me this error: mismatched input ')' expecting {'{', '/', PATH_SEGMENT}
(I know the regex is OK, but I don't know why it won't work in the code I wrote)

You're getting the syntax mixed up between Realtime Database and Firestore.
In Realtime Database security rules, the regular expression is specific as a JavaScript regex, so enclosed in / for opening and closing.
In Firestore security rules the regular expression needs to be passed as a string, which also means it shouldn't be wrapped in / symbols.
So:
allow create: if docId.matches("^(19|20)[0-9][0-9][-\\/. ](0[1-9]|1[012])[-\\/. ](0[1-9]|[12][0-9]|3[01])$");

Related

Google Tag Manager - Regex match

I want to check if a specific string is included in a GTM variable. The value of this variable is a first-party-cookie value decoded via URI looking like this:
"\"prodirversion\":5,\"panellanguage\":\"de\",\"preferences\":false,"\"marketing\":true,\"necessary\":true,\"statistics\":false,\"social_"
I now want to check if the following string is included.
marketing":true
I created another variable with a regex table and tried different regex expressions but nothing seems to work. It works on online regex tester but not in Google Tag Manager.
My guess would be the following but it doesn't work.
marketing\\":true
or
marketing.{3}true
or
marketing\\.{2}true
GTM variable
Some Regex engines will have an error on not escaping " char in marketing\\":true
Try escaping it like this: marketing\\\":true, and it should match.
Update:
marketing":true seems to be working in GTM
from that, we can conclude that escaping character \ in input string is for show only in GTM case, and should be ignored when regex testing/debugging.

Regex to match url path - Golang with Gorilla Mux

I'm setting up an api endpoint which after parsing the url I would get a path such as /profile/<username> e.g. /profile/markzuck
The username is optional though as this endpoint returns the the authenticated users profile if username is blank
Rule set:
I'm not the best at regex but I've created an expression that requires /profile after that if there is a following / e.g. /profile/ then you need to have a <username> that matches (\w){1,15}. Also I want it to be allowed to match any number of combinations if there is another following / e.g. /profile/<username>/<if preceding "/" then anything else>
Although I'm not 100% sure my expression is correct this seems to work in JavaScript
/^\/(profile)(\/(?=(\w){1,15}))?/
Gorilla Mux though is different and it requires the route matching string to always start with a slash and some other things I don't understand like it can only use non-capturing groups
( found this out by getting this error: panic: route /{_dummy:profile/([a-zA-Z_])?} contains capture groups in its regexp. Only non-capturing groups are accepted: e.g. (?:pattern) instead of (pattern) )
I tried using the same expression I used for JavaScript which didn't work here. I created a more forgiving expresion handlerFunc("/{_dummy:profile\/[a-zA-Z_].*}") which does work however this doesn't really follow the same rule set I'm using in my JavaScript expresion.
I was able to come up with my working expresion from this SO post here
And Gorilla Mux's docs talks a little bit about how their regex works when explaining how to use the package in the intro section here
My question is what is a similar or equivalent expression to the rule set I described that will work in Gorilla Mux HandlerFunc()?
If you're doing this with mux, then I believe what you need is not regex, but multiple paths.
For the first case, use a path "/profile". For the one containing a user name, use another path "/profile/{userName}". If you really want to use a regex, you can do "/profile/{username:}" to validate the user name. If you need to process anything that comes after username, either register separate paths (/profile/{username}/otherstuff), or register a pathPrefix "/profile/{username}/" and process the remaining part of the URL manually.

What is the correct regex syntax in Google Cloud Firestore Security Rules?

EDIT: After viewing the answer at https://stackoverflow.com/a/44876864/6792075, I still don't know why it should be necessary to double escape the period, with '\\.', especially because the documentation clearly shows that '\.' is the expected syntax (see my second example, below). The answer also references the first example ('.*\..*'), but modified with a double-escape ('.*\\..*'), but I believe this would still fail for reasons I describe below.
I'm trying to split the string memberUIDs.some_ID_here on the period character, but there are some discrepancies between the Firestore security rules docs and the syntax allowed in the rules editor.
The security rules provides a .split() method for strings: https://firebase.google.com/docs/firestore/reference/security/#split:
// Allow documents named "user.*" to be uploaded
match /{document} {
allow write: if user.split('.*\..*')[0] == 'user'
}
There is also an example in the docs showing a split on the period character, with a different regex:
// Allow read if a document has the string 'user' in it
match /{document} {
allow read: if 'user' in document.split('\.');
}
The first issue is with the first example. If you actually use this regex, it matches the entire string, which will not allow you to split on the period character; it takes the whole string as the delimiter, resulting in an array of two empty strings.
The second issue is with the second example. This regular expression should work correctly, and it works in tests with online regex editors; however, the rules editor throws a syntax error on this regex when used in the split() function. In fact, if you try to use the string '\.' anywhere, the editor throws a syntax error.
Right now, I am using '\\.' as my regex, which does not trigger a syntax error in the editor, but I do not think this is functioning correctly:
match /groups/{groupID} {
allow write: if (
request.writeFields[0].split('\\.')[0] == 'memberUIDs' &&
request.writeFields[0].split('\\.')[1] == request.auth.uid
)
}
It seems like either the documentation is wrong, the editor's syntax checker isn't working properly, or I'm fundamentally misunderstanding something about how the security rules work.
Here is a screenshot of the syntax error occurring:

Regular Expression for retrieving File Extension in HTTP url

I am working on the ELK stack and as part of Logstash data transformation i am transforming data in Apache access logs.
One of the metric needed is to get a stat on different content types (aspx, php, gif, etc.).
From the log file I am trying to retrieve request url and then deduce the file type, for ex /c/dataservices/online.jsp?callBack is the request and I would get .aspx using the regular expression
\.\w{3,4}.
My regular expression wont work for request say /etc/designs/design/libs.min.1253.css this is returning me .min as the extension.
I am trying to get the last extension but it is not working. Please do suggest other approaches.
You need to anchor the match to the end of the string or the beginning of a query param ?. Try:
\.\w{3,4}($|\?)
Play with it here: https://regex101.com/r/iV3iM1/1
You're going to need a much fancier Regex.
Try this one.
([/.\w]+)([.][\w]+)([?][\w./=]+)?
This uses three capture groups. The first ([/.\w]+) matches your path up to the last .
The second ([.][\w]+) matches the final extension, and you can use the capture group to read it out.
The third ([?][\w./=]+)? matches the query string, which is optional.

Validate Regex Input, preferably using Regex

I'm looking to have the (admin) user enter some pattern matching string, to give different users of my website access to different database rows, depending on if the text in a particular field of the row matches the pattern matching string against that user.
I decided on Regex because it is trivial to integrate into the MySQL statements directly.
I don't really know where to start with validating that a string is a valid regular expression, with a regular expression.
I did some searching for similar questions, couldn't see one. Google produced the comical answer, sadly not so helpful.
Do people do this in the wild, or avoid it?
Is it able to be done with a simple regex, or will the set of all valid regex need to be limited to a usable subset?
Validating a regex is an incredibly complex task. A regex would not be able to do it.
A simple approach would be to catch any errors that occur when you try to run the SQL statement, then report an appropriate error back to the user.
I am assuming that the 'admin' is a trusted user here. It is quite dangerous to give a non-trusted user the ability to enter regexes, because it is easy to attack your system with a regex that is constructed to take a really long time to execute. And that is before you even start to worry about the Bobby Tables problems.
in javascript:
input = "hello**";
try{
RegExp(input);
// sumbit the regex
}catch(err){
// regex is not valid
}
You cannot validate that a string contains a valid regular expression with a regular expression. But you might be able to compromise.
If you only need to know that only characters which are valid in regular expressions were used in the string, you can use the regex:
^[\d\w \-\}\{\)\(\+\*\?\|\.\$\^\[\]\\]*$
This might be enough depending on the application.