One for the regex heroes I m trying to match a request conta WireMock #help

One for the regex heroes: I'm trying to match a re...

Bas Dijkstra

05/09/2024, 3:06 PM

One for the regex heroes: I'm trying to match a request containing a password field, but only if the password value: • Is 8 characters or longer • Contains an uppercase character (A-Z) • Contains a lowercase (a-z) • Contains a number (0-9) • Contains a special character (#?!@$%^&*-) This is my current regex matcher:

Copy code

{
  "matchesJsonPath": "$[?($.newPassword =~ /(?=.+?[A-Z])(?=.+?[a-z])(?=.+?[0-9])(?=.+?[#?!@$%^&*-]).{8,}/i)]"
}

However, this seems to also match

test123!

, i.e., it doesn't discern between upper- and lowercase characters. All other criteria are checked correctly. I don't think there's anything wrong with the regex itself, or at least when I test it with https://regexr.com/, it does not accept

test123!

.. Any ideas?

Tom

05/09/2024, 3:21 PM

Maybe easier to break it up with an

and

matchers as the sub-clause to

matchesJsonPath

Bas Dijkstra

05/09/2024, 3:24 PM

Totally agree it would make things easier to read (as far as that goes with regex), but would it make a difference in matching? But I'll give it a try, thanks! It's just weird to me that multiple online regex testers accept it, but WireMock doesn't..

Tom

05/09/2024, 3:26 PM

It shouldn’t make any difference in terms of matching (provided it’s correct of course). Java’s regexes aren’t quite like the other flavours out there unfortunately. I find it’s fairly common for an expression to work in online checkers but not Java unfortunately.

Bas Dijkstra

05/09/2024, 3:28 PM

OK, that's good to know. Thanks for the quick response, I'll let you know how I fare. I can get away with it in this specific case, I'll just 'sell' it as a security vulnerability 😉

Bas Dijkstra

05/09/2024, 3:33 PM

Damn, I don't think I can split it easily because of the total number of characters requirement. That would only make it even more complex. Ah well, I'll deal with this 'as is'. Thanks again, Tom, appreciate the quick response.

Tom

05/09/2024, 3:42 PM

Not sure I understand, can’t you have something like

.*{8,}

as one of the matchers?

Bas Dijkstra

05/09/2024, 3:43 PM

Ah yes, why did I not think of that? I'll try that tomorrow, I was just packing for the day. Thanks!

😁 1

Samuel Adesoga

05/10/2024, 9:19 AM

@Bas Dijkstra I have been able to get some success with chatgpt for cases like this

👍 1

Bas Dijkstra

05/11/2024, 6:41 AM

Hmm.. I changed the mapping file to this:

Copy code

"bodyPatterns" : [ {
					"matchesJsonPath" : "$[?($.oldPassword == 'abcDEF123@')]"
				},
				{
					"matchesJsonPath" : {
						"expression": "$.newPassword",
						"and" : [
							{
								"matches": "[A-Z]+"
							},
							{
								"matches": "[a-z]+"
							},
							{
								"matches": "[0-9]+"
							},
							{
								"matches": "[#?!@$%^&*-]+"
							},
							{
								"matches": ".*{8,}"
							}
						]
					}
				}

And now it doesn't match anything anymore.. Not even the passwords that were deemed OK before.

3 Views

Open in Slack

Previous Next