Commit 219d24fe authored by Heinrich Lee Yu's avatar Heinrich Lee Yu Committed by Yorick Peterse

Fix slow project reference pattern regex

parent 68d13322
...@@ -530,6 +530,7 @@ class Project < ActiveRecord::Base ...@@ -530,6 +530,7 @@ class Project < ActiveRecord::Base
def reference_pattern def reference_pattern
%r{ %r{
(?<!#{Gitlab::PathRegex::PATH_START_CHAR})
((?<namespace>#{Gitlab::PathRegex::FULL_NAMESPACE_FORMAT_REGEX})\/)? ((?<namespace>#{Gitlab::PathRegex::FULL_NAMESPACE_FORMAT_REGEX})\/)?
(?<project>#{Gitlab::PathRegex::PROJECT_PATH_FORMAT_REGEX}) (?<project>#{Gitlab::PathRegex::PROJECT_PATH_FORMAT_REGEX})
}x }x
......
---
title: Fix slow regex in project reference pattern
merge_request:
author:
type: security
...@@ -125,7 +125,8 @@ module Gitlab ...@@ -125,7 +125,8 @@ module Gitlab
# allow non-regex validations, etc), `NAMESPACE_FORMAT_REGEX_JS` serves as a Javascript-compatible version of # allow non-regex validations, etc), `NAMESPACE_FORMAT_REGEX_JS` serves as a Javascript-compatible version of
# `NAMESPACE_FORMAT_REGEX`, with the negative lookbehind assertion removed. This means that the client-side validation # `NAMESPACE_FORMAT_REGEX`, with the negative lookbehind assertion removed. This means that the client-side validation
# will pass for usernames ending in `.atom` and `.git`, but will be caught by the server-side validation. # will pass for usernames ending in `.atom` and `.git`, but will be caught by the server-side validation.
PATH_REGEX_STR = '[a-zA-Z0-9_\.][a-zA-Z0-9_\-\.]*'.freeze PATH_START_CHAR = '[a-zA-Z0-9_\.]'.freeze
PATH_REGEX_STR = PATH_START_CHAR + '[a-zA-Z0-9_\-\.]*'.freeze
NAMESPACE_FORMAT_REGEX_JS = PATH_REGEX_STR + '[a-zA-Z0-9_\-]|[a-zA-Z0-9_]'.freeze NAMESPACE_FORMAT_REGEX_JS = PATH_REGEX_STR + '[a-zA-Z0-9_\-]|[a-zA-Z0-9_]'.freeze
NO_SUFFIX_REGEX = /(?<!\.git|\.atom)/.freeze NO_SUFFIX_REGEX = /(?<!\.git|\.atom)/.freeze
......
...@@ -26,6 +26,12 @@ describe Banzai::Filter::ProjectReferenceFilter do ...@@ -26,6 +26,12 @@ describe Banzai::Filter::ProjectReferenceFilter do
expect(reference_filter(act).to_html).to eq(CGI.escapeHTML(exp)) expect(reference_filter(act).to_html).to eq(CGI.escapeHTML(exp))
end end
it 'fails fast for long invalid string' do
expect do
Timeout.timeout(5.seconds) { reference_filter("A" * 50000).to_html }
end.not_to raise_error
end
it 'allows references with text after the > character' do it 'allows references with text after the > character' do
doc = reference_filter("Hey #{reference}foo") doc = reference_filter("Hey #{reference}foo")
expect(doc.css('a').first.attr('href')).to eq urls.project_url(subject) expect(doc.css('a').first.attr('href')).to eq urls.project_url(subject)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment