Today I realized that while it's not documented, we allow arbitrary regexes in the "channel" part of a Rule, see https://github.com/mozilla/balrog/blob/f8d9bd8c054ff26d70b76e633f53032c739ac789/auslib/db.py#L1503 and https://github.com/mozilla/balrog/blob/f8d9bd8c054ff26d70b76e633f53032c739ac789/auslib/db.py#L1486. This is way more power than is needed, and could lead to accidents (eg: if we set "*" as the channel, or r* or something silly like that). I suspect this was a very quick and lazy way to allow for globbing. The only thing we truly want to support here is globbing at the end of the channel -- so we should rework this code to make that the only supported case.

I'm looking into this, will update if there are any advances.

@bhearsum So do we just need to ensure that channel name contains more than a certain number of characters...I don't have much experience with balrog but may be something like this-> ``` def _matchesRegex(self, foo, bar): # Expand wildcards and use ^/$ to make sure we don't succeed on partial # matches. Eg, 3.6* matches 3.6, 3.6.1, 3.6b3, etc. if foo.endswith('*'): #To stop small matches like 'r*' if(re.match('^.{0,2}\*$', foo)): return False test = foo.replace('.', '\.').replace('*', '\*', foo.count('*')-1) test = test[:-1] test = test + '.*' test = '^%s$' % test if re.match(test, bar): return True return False else: test = foo.replace('.', '\.').replace('*', '\*') test = '^%s$' % test if re.match(test, bar): return True return False ```

(In reply to bhavishyagopesh from comment #2) > @bhearsum So do we just need to ensure that channel name contains more than > a certain number of characters...I don't have much experience with balrog > but may be something like this-> > > ``` > > def _matchesRegex(self, foo, bar): > # Expand wildcards and use ^/$ to make sure we don't succeed on > partial > # matches. Eg, 3.6* matches 3.6, 3.6.1, 3.6b3, etc. > if foo.endswith('*'): > #To stop small matches like 'r*' > if(re.match('^.{0,2}\*$', foo)): > return False > > test = foo.replace('.', '\.').replace('*', '\*', > foo.count('*')-1) > test = test[:-1] > test = test + '.*' > test = '^%s$' % test > if re.match(test, bar): > return True > return False > else: > test = foo.replace('.', '\.').replace('*', '\*') > test = '^%s$' % test > if re.match(test, bar): > return True > return False > > ``` I think this is on the right track, I replied in detail in your pull request (https://github.com/mozilla/balrog/pull/367#pullrequestreview-55003575).

Commit pushed to master at https://github.com/mozilla/balrog https://github.com/mozilla/balrog/commit/2bcdd4c115e89a61eb1d09b66aea3300ad803f30 bug 1379244: don't allow arbitrary regex matching in channels (#367). r=bhearsum

This is in production. Thank you for your contribution!