1 files changed, 50 insertions, 28 deletions

diff --git a/activemodel/lib/active_model/validations/format.rb b/activemodel/lib/active_model/validations/format.rb
index d3faa8c6a6..80150229a0 100644
--- a/activemodel/lib/active_model/validations/format.rb
+++ b/activemodel/lib/active_model/validations/format.rb
@@ -2,7 +2,7 @@ module ActiveModel
 
   # == Active Model Format Validator
   module Validations
-    class FormatValidator < EachValidator
+    class FormatValidator < EachValidator #:nodoc:
       def validate_each(record, attribute, value)
         if options[:with]
           regexp = option_call(record, :with)
@@ -33,59 +33,81 @@ module ActiveModel
         record.errors.add(attribute, :invalid, options.except(name).merge!(:value => value))
       end
 
+      def regexp_using_multiline_anchors?(regexp)
+        regexp.source.start_with?("^") ||
+          (regexp.source.end_with?("$") && !regexp.source.end_with?("\\$"))
+      end
+
       def check_options_validity(options, name)
         option = options[name]
         if option && !option.is_a?(Regexp) && !option.respond_to?(:call)
           raise ArgumentError, "A regular expression or a proc or lambda must be supplied as :#{name}"
+        elsif option && option.is_a?(Regexp) &&
+              regexp_using_multiline_anchors?(option) && options[:multiline] != true
+          raise ArgumentError, "The provided regular expression is using multiline anchors (^ or $), " \
+          "which may present a security risk. Did you mean to use \\A and \\z, or forgot to add the " \
+          ":multiline => true option?"
         end
       end
     end
 
     module HelperMethods
-      # Validates whether the value of the specified attribute is of the correct form, going by the regular expression provided.
-      # You can require that the attribute matches the regular expression:
+      # Validates whether the value of the specified attribute is of the correct
+      # form, going by the regular expression provided.You can require that the
+      # attribute matches the regular expression:
       #
       #   class Person < ActiveRecord::Base
-      #     validates_format_of :email, :with => /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i, :on => :create
+      #     validates_format_of :email, with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i, on: :create
       #   end
       #
-      # Alternatively, you can require that the specified attribute does _not_ match the regular expression:
+      # Alternatively, you can require that the specified attribute does _not_
+      # match the regular expression:
       #
       #   class Person < ActiveRecord::Base
-      #     validates_format_of :email, :without => /NOSPAM/
+      #     validates_format_of :email, without: /NOSPAM/
       #   end
       #
-      # You can also provide a proc or lambda which will determine the regular expression that will be used to validate the attribute
+      # You can also provide a proc or lambda which will determine the regular
+      # expression that will be used to validate the attribute.
       #
       #   class Person < ActiveRecord::Base
       #     # Admin can have number as a first letter in their screen name
-      #     validates_format_of :screen_name, :with => lambda{ |person| person.admin? ? /\A[a-z0-9][a-z0-9_\-]*\Z/i : /\A[a-z][a-z0-9_\-]*\Z/i }
+      #     validates_format_of :screen_name,
+      #                         with: ->(person) { person.admin? ? /\A[a-z0-9][a-z0-9_\-]*\z/i : /\A[a-z][a-z0-9_\-]*\z/i }
       #   end
       #
-      # Note: use <tt>\A</tt> and <tt>\Z</tt> to match the start and end of the string, <tt>^</tt> and <tt>$</tt> match the start/end of a line.
+      # Note: use <tt>\A</tt> and <tt>\Z</tt> to match the start and end of the
+      # string, <tt>^</tt> and <tt>$</tt> match the start/end of a line.
       #
-      # You must pass either <tt>:with</tt> or <tt>:without</tt> as an option. In addition, both must be a regular expression
-      # or a proc or lambda, or else an exception will be raised.
+      # Due to frequent misuse of <tt>^</tt> and <tt>$</tt>, you need to pass
+      # the <tt>multiline: true</tt> option in case you use any of these two
+      # anchors in the provided regular expression. In most cases, you should be
+      # using <tt>\A</tt> and <tt>\z</tt>.
+      #
+      # You must pass either <tt>:with</tt> or <tt>:without</tt> as an option.
+      # In addition, both must be a regular expression or a proc or lambda, or
+      # else an exception will be raised.
       #
       # Configuration options:
       # * <tt>:message</tt> - A custom error message (default is: "is invalid").
-      # * <tt>:allow_nil</tt> - If set to true, skips this validation if the attribute is +nil+ (default is +false+).
-      # * <tt>:allow_blank</tt> - If set to true, skips this validation if the attribute is blank (default is +false+).
-      # * <tt>:with</tt> - Regular expression that if the attribute matches will result in a successful validation.
-      #   This can be provided as a proc or lambda returning regular expression which will be called at runtime.
-      # * <tt>:without</tt> - Regular expression that if the attribute does not match will result in a successful validation.
-      #   This can be provided as a proc or lambda returning regular expression which will be called at runtime.
-      # * <tt>:on</tt> - Specifies when this validation is active. Runs in all
-      #   validation contexts by default (+nil+), other options are <tt>:create</tt>
-      #   and <tt>:update</tt>.
-      # * <tt>:if</tt> - Specifies a method, proc or string to call to determine if the validation should
-      #   occur (e.g. <tt>:if => :allow_validation</tt>, or <tt>:if => Proc.new { |user| user.signup_step > 2 }</tt>). The
-      #   method, proc or string should return or evaluate to a true or false value.
-      # * <tt>:unless</tt> - Specifies a method, proc or string to call to determine if the validation should
-      #   not occur (e.g. <tt>:unless => :skip_validation</tt>, or <tt>:unless => Proc.new { |user| user.signup_step <= 2 }</tt>). The
-      #   method, proc or string should return or evaluate to a true or false value.
-      # * <tt>:strict</tt> - Specifies whether validation should be strict. 
-      #   See <tt>ActiveModel::Validation#validates!</tt> for more information
+      # * <tt>:allow_nil</tt> - If set to true, skips this validation if the
+      #   attribute is +nil+ (default is +false+).
+      # * <tt>:allow_blank</tt> - If set to true, skips this validation if the
+      #   attribute is blank (default is +false+).
+      # * <tt>:with</tt> - Regular expression that if the attribute matches will
+      #   result in a successful validation. This can be provided as a proc or
+      #   lambda returning regular expression which will be called at runtime.
+      # * <tt>:without</tt> - Regular expression that if the attribute does not
+      #   match will result in a successful validation. This can be provided as
+      #   a proc or lambda returning regular expression which will be called at
+      #   runtime.
+      # * <tt>:multiline</tt> - Set to true if your regular expression contains
+      #   anchors that match the beginning or end of lines as opposed to the
+      #   beginning or end of the string. These anchors are <tt>^</tt> and <tt>$</tt>.
+      #
+      # There is also a list of default options supported by every validator:
+      # +:if+, +:unless+, +:on+ and +:strict+.
+      # See <tt>ActiveModel::Validation#validates</tt> for more information
       def validates_format_of(*attr_names)
         validates_with FormatValidator, _merge_attributes(attr_names)
       end