Fixes release asset link filepath ReDoS

Closes https://gitlab.com/gitlab-org/gitlab/-/issues/218753 See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/924

Fixes release asset link filepath ReDoS
Closes https://gitlab.com/gitlab-org/gitlab/-/issues/218753 See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/924
73cc5591 · Sean Carroll · f4f63b99 · 73cc5591 · 73cc5591
Commit 73cc5591 authored Sep 15, 2020 by Sean Carroll
Showing with 8 additions and 1 deletion

app/models/releases/link.rb app/models/releases/link.rb +3 -1

changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml ...ased/security-fixes-release-asset-link-filepath-ReDoS.yml +5 -0

No files found.
--- a/app/models/releases/link.rb
+++ b/app/models/releases/link.rb
@@ -6,7 +6,9 @@ module Releases

    belongs_to :release

-    FILEPATH_REGEX = %r{\A/(?:[\-\.\w]+/?)*[\da-zA-Z]+\z}.freeze
+    # See https://gitlab.com/gitlab-org/gitlab/-/issues/218753
+    # Regex modified to prevent catastrophic backtracking
+    FILEPATH_REGEX = %r{\A\/[^\/](?!.*\/\/.*)[\-\.\w\/]+[\da-zA-Z]+\z}.freeze

    validates :url, presence: true, addressable_url: { schemes: %w(http https ftp) }, uniqueness: { scope: :release }
    validates :name, presence: true, uniqueness: { scope: :release }

--- a/changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml
+++ b/changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml
+---
+title: Fixes release asset link filepath ReDoS
+merge_request:
+author:
+type: security