Fix regexp param anchoring (#105)

tigerwill90 · web-flow · commit 70ae18cf62ad · 2026-05-07T17:31:20.000+02:00
* fix: anchor user regexp with non-capturing group to bound alternation

* refactor!(matcher): rename Regex to Value and return raw source string

* refactor(simplelru): use range over int in Resize loop

* docs(matcher): clarify Value godoc on regexp matchers
diff --git a/fox_test.go b/fox_test.go
@@ -1546,6 +1546,38 @@ func TestWildcardSuffix(t *testing.T) {
 	}
 }
 
+func TestRegexpParamAlternationPrecedence(t *testing.T) {
+	r := MustRouter(AllowRegexpParam(true))
+	require.NoError(t, onlyError(r.Add(MethodGet, "/role/{role:admin|user|guest}", pathHandler)))
+	require.NoError(t, onlyError(r.Add(MethodGet, "/scope/{scope:read|write}/items", pathHandler)))
+
+	cases := []struct {
+		path string
+		want int
+	}{
+		{"/role/admin", http.StatusOK},
+		{"/role/user", http.StatusOK},
+		{"/role/guest", http.StatusOK},
+		{"/role/adminBYPASS", http.StatusNotFound},
+		{"/role/EVILguest", http.StatusNotFound},
+		{"/role/userX", http.StatusNotFound},
+		{"/role/Xuser", http.StatusNotFound},
+		{"/scope/read/items", http.StatusOK},
+		{"/scope/write/items", http.StatusOK},
+		{"/scope/readBYPASS/items", http.StatusNotFound},
+		{"/scope/EVILwrite/items", http.StatusNotFound},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.path, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, tc.path, nil)
+			w := httptest.NewRecorder()
+			r.ServeHTTP(w, req)
+			assert.Equal(t, tc.want, w.Code)
+		})
+	}
+}
+
 func TestInsertUpdateAndDeleteWithHostname(t *testing.T) {
 	cases := []struct {
 		name   string
diff --git a/internal/simplelru/lru.go b/internal/simplelru/lru.go
@@ -154,7 +154,7 @@ func (c *LRU[K, V]) Cap() int {
 // Resize changes the cache size.
 func (c *LRU[K, V]) Resize(size int) (evicted int) {
 	diff := max(c.Len()-size, 0)
-	for i := 0; i < diff; i++ {
+	for range diff {
 		c.removeOldest()
 	}
 	c.size = size
diff --git a/matcher.go b/matcher.go
@@ -85,7 +85,7 @@ func MatchQueryRegexp(key, expr string) (QueryRegexpMatcher, error) {
 	if key == "" {
 		return QueryRegexpMatcher{}, errors.New("empty query key")
 	}
-	regex, err := regexp.Compile("^" + expr + "$")
+	regex, err := regexp.Compile("^(?:" + expr + ")$")
 	if err != nil {
 		return QueryRegexpMatcher{}, err
 	}
@@ -108,14 +108,15 @@ func (m QueryRegexpMatcher) Key() string {
 	return m.key
 }
 
-// Regex returns a copy of the compiled regular expression used to evaluate query values.
-func (m QueryRegexpMatcher) Regex() *regexp.Regexp {
-	return new(*m.regex)
+// Value returns the regular expression matching the query parameter.
+func (m QueryRegexpMatcher) Value() string {
+	expr := m.regex.String()
+	return expr[4 : len(expr)-2]
 }
 
 // String returns a textual representation of the matcher in the form "qx:key=expr".
 func (m QueryRegexpMatcher) String() string {
-	return "qx:" + m.key + "=" + m.regex.String()
+	return "qx:" + m.key + "=" + m.Value()
 }
 
 // Match reports whether the request URL contains the configured key with any value matching the configured regular
@@ -198,7 +199,7 @@ func MatchHeaderRegexp(key, expr string) (HeaderRegexpMatcher, error) {
 	if key == "" {
 		return HeaderRegexpMatcher{}, errors.New("empty header key")
 	}
-	regex, err := regexp.Compile("^" + expr + "$")
+	regex, err := regexp.Compile("^(?:" + expr + ")$")
 	if err != nil {
 		return HeaderRegexpMatcher{}, err
 	}
@@ -221,9 +222,10 @@ func (m HeaderRegexpMatcher) Key() string {
 	return m.canonicalKey
 }
 
-// Regex returns a copy of the compiled regular expression used to evaluate header values.
-func (m HeaderRegexpMatcher) Regex() *regexp.Regexp {
-	return new(*m.regex)
+// Value returns the regular expression matching the header.
+func (m HeaderRegexpMatcher) Value() string {
+	expr := m.regex.String()
+	return expr[4 : len(expr)-2]
 }
 
 // Match reports whether the request contains the configured header with any value matching the configured regular
@@ -247,7 +249,7 @@ func (m HeaderRegexpMatcher) Equal(matcher Matcher) bool {
 
 // String returns a textual representation of the matcher in the form "hx:key=expr".
 func (m HeaderRegexpMatcher) String() string {
-	return "hx:" + m.canonicalKey + "=" + m.regex.String()
+	return "hx:" + m.canonicalKey + "=" + m.Value()
 }
 
 // MatchClientIP returns a [ClientIPMatcher] that matches when the resolved client IP belongs to the given CIDR range.
diff --git a/matcher_test.go b/matcher_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestQueryMatcher_Match(t *testing.T) {
@@ -622,7 +623,7 @@ func TestMatchQueryRegexp(t *testing.T) {
 			}
 			assert.NoError(t, err)
 			assert.Equal(t, tc.wantKey, m.Key())
-			assert.NotNil(t, m.Regex())
+			assert.Equal(t, tc.expr, m.Value())
 		})
 	}
 }
@@ -727,7 +728,50 @@ func TestMatchHeaderRegexp(t *testing.T) {
 			}
 			assert.NoError(t, err)
 			assert.Equal(t, tc.wantKey, m.Key())
-			assert.NotNil(t, m.Regex())
+			assert.Equal(t, tc.expr, m.Value())
+		})
+	}
+}
+
+func TestRegexpMatcherAlternationPrecedence(t *testing.T) {
+	mq, err := MatchQueryRegexp("scope", "read|write")
+	require.NoError(t, err)
+	mh, err := MatchHeaderRegexp("X-Role", "admin|user|guest")
+	require.NoError(t, err)
+
+	queryCases := []struct {
+		url  string
+		want bool
+	}{
+		{"/?scope=read", true},
+		{"/?scope=write", true},
+		{"/?scope=readBYPASS", false},
+		{"/?scope=EVILwrite", false},
+	}
+	for _, tc := range queryCases {
+		t.Run("query "+tc.url, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, tc.url, nil)
+			c := NewTestContextOnly(httptest.NewRecorder(), req)
+			assert.Equal(t, tc.want, mq.Match(c))
+		})
+	}
+
+	headerCases := []struct {
+		value string
+		want  bool
+	}{
+		{"admin", true},
+		{"user", true},
+		{"guest", true},
+		{"adminBYPASS", false},
+		{"EVILguest", false},
+	}
+	for _, tc := range headerCases {
+		t.Run("header "+tc.value, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, "/", nil)
+			req.Header.Set("X-Role", tc.value)
+			c := NewTestContextOnly(httptest.NewRecorder(), req)
+			assert.Equal(t, tc.want, mh.Match(c))
 		})
 	}
 }
diff --git a/parser.go b/parser.go
@@ -391,7 +391,7 @@ func (fox *Router) compileParamRegexp(rawRegex string) (*regexp.Regexp, *Pattern
 		return nil, newPatternError("regexp", 0, 0, "missing expression")
 	}
 
-	re, err := regexp.Compile("^" + rawRegex + "$")
+	re, err := regexp.Compile("^(?:" + rawRegex + ")$")
 	if err != nil {
 		return nil, &PatternError{
 			Reason: "regexp",
diff --git a/parser_test.go b/parser_test.go
@@ -30,7 +30,7 @@ func Test_parsePattern(t *testing.T) {
 			typ:   nodeParam,
 		}
 		if reg != "" {
-			tk.regexp = regexp.MustCompile("^" + reg + "$")
+			tk.regexp = regexp.MustCompile("^(?:" + reg + ")$")
 		}
 		return tk
 	}
@@ -41,7 +41,7 @@ func Test_parsePattern(t *testing.T) {
 			typ:   nodeWildcard,
 		}
 		if reg != "" {
-			tk.regexp = regexp.MustCompile("^" + reg + "$")
+			tk.regexp = regexp.MustCompile("^(?:" + reg + ")$")
 		}
 		return tk
 	}
diff --git a/tree.go b/tree.go
@@ -953,8 +953,9 @@ func concat(a, b string) string {
 // placeholder ("?" for params, "*" for catch-alls).
 func canonicalKey(tk token) string {
 	if tk.regexp != nil {
+		// Strip the surrounding ^(?: and )$ added by compileParamRegexp.
 		expr := tk.regexp.String()
-		return expr[1 : len(expr)-1]
+		return expr[4 : len(expr)-2]
 	}
 	switch tk.typ {
 	case nodeParam:

Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ func (c *LRU[K, V]) Cap() int {`
`154`	`154`	`// Resize changes the cache size.`
`155`	`155`	`func (c *LRU[K, V]) Resize(size int) (evicted int) {`
`156`	`156`	`diff := max(c.Len()-size, 0)`
`157`		`- for i := 0; i < diff; i++ {`
	`157`	`+ for range diff {`
`158`	`158`	`c.removeOldest()`
`159`	`159`	`}`
`160`	`160`	`c.size = size`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ func MatchQueryRegexp(key, expr string) (QueryRegexpMatcher, error) {`
`85`	`85`	`if key == "" {`
`86`	`86`	`return QueryRegexpMatcher{}, errors.New("empty query key")`
`87`	`87`	`}`
`88`		`- regex, err := regexp.Compile("^" + expr + "$")`
	`88`	`+ regex, err := regexp.Compile("^(?:" + expr + ")$")`
`89`	`89`	`if err != nil {`
`90`	`90`	`return QueryRegexpMatcher{}, err`
`91`	`91`	`}`
`@@ -108,14 +108,15 @@ func (m QueryRegexpMatcher) Key() string {`
`108`	`108`	`return m.key`
`109`	`109`	`}`
`110`	`110`
`111`		`-// Regex returns a copy of the compiled regular expression used to evaluate query values.`
`112`		`-func (m QueryRegexpMatcher) Regex() *regexp.Regexp {`
`113`		`- return new(*m.regex)`
	`111`	`+// Value returns the regular expression matching the query parameter.`
	`112`	`+func (m QueryRegexpMatcher) Value() string {`
	`113`	`+ expr := m.regex.String()`
	`114`	`+ return expr[4 : len(expr)-2]`
`114`	`115`	`}`
`115`	`116`
`116`	`117`	`// String returns a textual representation of the matcher in the form "qx:key=expr".`
`117`	`118`	`func (m QueryRegexpMatcher) String() string {`
`118`		`- return "qx:" + m.key + "=" + m.regex.String()`
	`119`	`+ return "qx:" + m.key + "=" + m.Value()`
`119`	`120`	`}`
`120`	`121`
`121`	`122`	`// Match reports whether the request URL contains the configured key with any value matching the configured regular`
`@@ -198,7 +199,7 @@ func MatchHeaderRegexp(key, expr string) (HeaderRegexpMatcher, error) {`
`198`	`199`	`if key == "" {`
`199`	`200`	`return HeaderRegexpMatcher{}, errors.New("empty header key")`
`200`	`201`	`}`
`201`		`- regex, err := regexp.Compile("^" + expr + "$")`
	`202`	`+ regex, err := regexp.Compile("^(?:" + expr + ")$")`
`202`	`203`	`if err != nil {`
`203`	`204`	`return HeaderRegexpMatcher{}, err`
`204`	`205`	`}`
`@@ -221,9 +222,10 @@ func (m HeaderRegexpMatcher) Key() string {`
`221`	`222`	`return m.canonicalKey`
`222`	`223`	`}`
`223`	`224`
`224`		`-// Regex returns a copy of the compiled regular expression used to evaluate header values.`
`225`		`-func (m HeaderRegexpMatcher) Regex() *regexp.Regexp {`
`226`		`- return new(*m.regex)`
	`225`	`+// Value returns the regular expression matching the header.`
	`226`	`+func (m HeaderRegexpMatcher) Value() string {`
	`227`	`+ expr := m.regex.String()`
	`228`	`+ return expr[4 : len(expr)-2]`
`227`	`229`	`}`
`228`	`230`
`229`	`231`	`// Match reports whether the request contains the configured header with any value matching the configured regular`
`@@ -247,7 +249,7 @@ func (m HeaderRegexpMatcher) Equal(matcher Matcher) bool {`
`247`	`249`
`248`	`250`	`// String returns a textual representation of the matcher in the form "hx:key=expr".`
`249`	`251`	`func (m HeaderRegexpMatcher) String() string {`
`250`		`- return "hx:" + m.canonicalKey + "=" + m.regex.String()`
	`252`	`+ return "hx:" + m.canonicalKey + "=" + m.Value()`
`251`	`253`	`}`
`252`	`254`
`253`	`255`	`// MatchClientIP returns a [ClientIPMatcher] that matches when the resolved client IP belongs to the given CIDR range.`
Original file line number	Diff line number	Diff line change
`@@ -391,7 +391,7 @@ func (fox Router) compileParamRegexp(rawRegex string) (regexp.Regexp, *Pattern`
`391`	`391`	`return nil, newPatternError("regexp", 0, 0, "missing expression")`
`392`	`392`	`}`
`393`	`393`
`394`		`- re, err := regexp.Compile("^" + rawRegex + "$")`
	`394`	`+ re, err := regexp.Compile("^(?:" + rawRegex + ")$")`
`395`	`395`	`if err != nil {`
`396`	`396`	`return nil, &PatternError{`
`397`	`397`	`Reason: "regexp",`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ func Test_parsePattern(t *testing.T) {`
`30`	`30`	`typ: nodeParam,`
`31`	`31`	`}`
`32`	`32`	`if reg != "" {`
`33`		`- tk.regexp = regexp.MustCompile("^" + reg + "$")`
	`33`	`+ tk.regexp = regexp.MustCompile("^(?:" + reg + ")$")`
`34`	`34`	`}`
`35`	`35`	`return tk`
`36`	`36`	`}`
`@@ -41,7 +41,7 @@ func Test_parsePattern(t *testing.T) {`
`41`	`41`	`typ: nodeWildcard,`
`42`	`42`	`}`
`43`	`43`	`if reg != "" {`
`44`		`- tk.regexp = regexp.MustCompile("^" + reg + "$")`
	`44`	`+ tk.regexp = regexp.MustCompile("^(?:" + reg + ")$")`
`45`	`45`	`}`
`46`	`46`	`return tk`
`47`	`47`	`}`