[Bug] keyMatch3 gives false positive to malformed expression in Golang casbin library

[mih-kopylov]

Want to prioritize this issue? Try:

---

Describe the bug
When having a model that uses keyMatch3 and a policy with a value that starts with * it gives false positive true.

To Reproduce
Model:

[request_definition]
r = sub, url, method

[policy_definition]
p = sub, url_pattern, method

[policy_effect]
e = some(where (p.eft == allow))

[role_definition]
g = _,_

[matchers]
m = g(r.sub, p.sub) \
  && keyMatch3(r.url, p.url_pattern) \
  && (r.method == p.method)

Policy:

p, admin, */admin/*, GET

Test:

admin, /some/admin/v1/user/12, GET

In https://casbin.org/editor/ and in jCasbin it gives an error (Invalid regular expression: /^*/admin/.*$/: Nothing to repeat) or false.

But in golang library it gives true

Expected behavior
It gives false in golang library

https://editor.casbin.org/#GPXQEC6EV

Versions
github.com/casbin/casbin/v2 v2.77.2

[casbin-bot]

@tangyang9464 @JalinWang

[hsluoyz]

@mih-kopylov if you are using *, you should use keyMatch instead of keyMatch3. Using an inappropriate function will cause unexpected behavior. This is because the policy rules are not expected to become part of the penetration test against Casbin. The policy rules are totally trusted and on the same side together with the Casbin caller.

See: https://casbin.org/docs/function/