From 336e666357d7a79f8b6ceadc2ede50a4d309da24 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Wed, 3 Mar 2021 16:49:37 +0100 Subject: [PATCH] Add regex example to "Match detection for URIs" that is not broken (#158) * Add regex example to "Match detection for URIs" that is not broken I find it important that examples actually follow best practices. The current regex one is not. `^https://.*google\.com$` is an improper regex (as already pointed out because it also matches `malicious-site.com`) that is only there to show the weaknesses of regular expressions for this use case. I find such an example very good for this purpose but there should also be a "good example" that complements it. I found such a "good example" that I hope is more useful and has no unwanted loopholes. * Change wording from bad/good to unsafe/safe in regex match detection * Update uri-match-detection.md Co-authored-by: fred_the_tech_writer <69817454+fschillingeriv@users.noreply.github.com> --- _articles/features/uri-match-detection.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/_articles/features/uri-match-detection.md b/_articles/features/uri-match-detection.md index 99dd00eb..7f877fac 100644 --- a/_articles/features/uri-match-detection.md +++ b/_articles/features/uri-match-detection.md @@ -75,11 +75,23 @@ Regular expressions are an advanced option and can be quite dangerous if used in Selecting **Regular expression** will prompt Bitwarden to offer auto-fill when the detected resources matches a specified [regular expression](https://en.wikipedia.org/wiki/Regular_expression){:target="_blank"}. Regular expressions are always *case insensitive*. -For example, if the URI vault `^https://.*google\.com$` uses regular expression match detection: +#### Unsafe example + +If the URI value `^https://.*google\.com$` uses regular expression match detection: - **Auto-fill offered** for `https://google.com`, `https://sub.google.com`, `https://malicious-site.com?q=google.com` - **Auto-fill not offered** for `http://google.com` or `https://yahoo.com` +This probably matches more than what is intended. Consider avoiding periods (`.`), which unless escaped (`\`) match on any character. + +#### Safe example + +If the URI value `^https://[a-z]+\.wikipedia\.org/w/index\.php` uses regular expression match detection: + +- **Auto-fill offered** for `https://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Bitwarden`, `https://pl.wikipedia.org/w/index.php?title=Specjalna:Zaloguj&returnto=Bitwarden`, `https://en.wikipedia.org/w/index.php` +- **Auto-fill not offered** for `https://en.wikipedia.org/wiki/Bitwarden`, `https://malicious-site.com` + + ### Exact Selecting **Exact** will prompt Bitwarden to offer auto-fill when the Login URI value matches the detected resource exactly.