Support for negative lookahead

[AshutoshNirkhe]

Hello,

I have a use case where I want to build a regex which will match a certain pattern of strings and will not contain a particular word at the end of string. For example, docker image should come from a allowed list of container registries and the image shouldn't be the 'latest' tag (i.e. image name shouldn't end in ':latest').
For example: regex should match 'docker.io/fluent-bit:1.2.1' but not 'docker.io/fluent-bit:latest'

Context: I am using a security policy tool that works on top of Rego from Open Policy Agent and Rego seems to be using this library under the hood. I can see 'negative lookahead' is not supported as per https://github.com/google/re2/blob/main/doc/syntax.txt#L83
Any specific reason why this is not supported ? If it can't be, then could you suggest any alternative regex logic to handle such use case ?
Thanks!!

[BurntSushi]

https://github.com/google/re2/search?q=lookahead&type=issues

[AshutoshNirkhe]

https://github.com/google/re2/search?q=lookahead&type=issues

Thanks @BurntSushi but am confused after seeing those different threads really. Seems like it's difficult to be supported. Is it still under consideration or not ?

[BurntSushi]

I'm not a contributor to this project. I'm just pointing out that this exact question has been asked and answered many times.

This one in particular gives a pretty clear answer to your question I think: #269

[AshutoshNirkhe]

I'm not a contributor to this project. I'm just pointing out that this exact question has been asked and answered many times.

This one in particular gives a pretty clear answer to your question I think: #269

I see, thanks. "the situation is unlikely to change in the foreseeable future" :)

[junyer]

Thanks, @BurntSushi. ;)

Indeed, the situation remains unlikely to change in the foreseeable future. Late last week, I might have figured out tolerable¹ handling of look-around assertions. Alas, in terms of "how do we get there from here", it will require enough blood, sweat and tears that it ain't getting done in my copious spare time. (This isn't even considering the effort needed to bring RE2/J, the Go regexp package and the Rust regex crate in line with RE2 subsequently so that they continue to support the same syntax.)

To answer your other question, handling negation at the application level is typically clearer and easier anyway. Assuming that this is what you are using, regex.match("^docker[.]io/", value) AND NOT regex.match(":latest$", value) seems to do what you need. As per https://github.com/open-policy-agent/opa/blob/main/wasm/src/regex.cc#L83, regex.match() is using RE2::PartialMatch(), not RE2::FullMatch(), so it's simple and also efficient just to match prefixes and suffixes separately.

Footnotes

1. It's a pragmatic tradeoff in software engineering, not a minor breakthrough in computer science. ↩