Re: Verifying numeric values

[Greg Wooledge]

On Mon, Oct 18, 2021 at 11:44:16PM -0400, Andy Chu wrote:
> On Mon, Oct 18, 2021 at 11:25 PM Greg Wooledge <greg@wooledge.org> wrote:
> >
> > On Mon, Oct 18, 2021 at 11:10:32PM -0400, Andy Chu wrote:
> > > Try this:
> > >
> > > is_valid() {
> > >   local x=$1
> > >   local b=$(( 1 <= x && x <= 255 ))
> > >   return $(( ! b ))   # 0 is true, 1 is false
> > > }
> >
> > Using un-validated input in a math context is a code injection in bash.
> > Given that the purpose of this function is to validate the input, one
> > must assume the input may be malicious.
> 
> Yes good point, I wrote about that here:
> 
> https://www.oilshell.org/blog/2019/01/18.html#a-story-about-a-30-year-old-security-problem
> 
> In that case I would turn it into something like this
> 
> 
> is_valid() {
>   local x=$1
>   if [[ $x =~ [[:digit:]]+ ]]; then
>     local b=$(( 1 <= x && x <= 255 ))
>     return $(( ! b ))   # 0 is true, 1 is false
>   else
>     return 1
>   fi
> }
> 
> (Or use 'expr' if you care about portability to non-bash shells.)

You can use 'case'.

In sufficiently new versions of bash, you can replace your regex with
an extended glob -- yes, even if "extglob" is not enabled.  In newer
versions of bash, extended globs are *always* allowed inside [[.

[[ $x = +([[:digit:]]) ]]

Or see <https://mywiki.wooledge.org/BashFAQ/054> for other ideas.
Whoever put that "Avoid [[:digit:]]" sentence on there... well,
it's a public wiki, so you get all kinds of edits.