Merge branch 'security-fix-regex-dos' into 'master'

[master] Fix DoS in reference extraction regexes

Closes #2766

See merge request gitlab/gitlabhq!2768

app/models/project.rb

@@ -530,6 +530,7 @@ class Project < ActiveRecord::Base
 
     def reference_pattern
       %r{
+        (?<!#{Gitlab::PathRegex::PATH_START_CHAR})
         ((?<namespace>#{Gitlab::PathRegex::FULL_NAMESPACE_FORMAT_REGEX})\/)?
         (?<project>#{Gitlab::PathRegex::PROJECT_PATH_FORMAT_REGEX})
       }x

changelogs/unreleased/security-fix-regex-dos.yml

+---
+title: Fix slow regex in project reference pattern
+merge_request:
+author:
+type: security

lib/gitlab/path_regex.rb

@@ -125,7 +125,8 @@ module Gitlab
     # allow non-regex validations, etc), `NAMESPACE_FORMAT_REGEX_JS` serves as a Javascript-compatible version of
     # `NAMESPACE_FORMAT_REGEX`, with the negative lookbehind assertion removed. This means that the client-side validation
     # will pass for usernames ending in `.atom` and `.git`, but will be caught by the server-side validation.
-    PATH_REGEX_STR = '[a-zA-Z0-9_\.][a-zA-Z0-9_\-\.]*'.freeze
+    PATH_START_CHAR = '[a-zA-Z0-9_\.]'.freeze
+    PATH_REGEX_STR = PATH_START_CHAR + '[a-zA-Z0-9_\-\.]*'.freeze
     NAMESPACE_FORMAT_REGEX_JS = PATH_REGEX_STR + '[a-zA-Z0-9_\-]|[a-zA-Z0-9_]'.freeze
 
     NO_SUFFIX_REGEX = /(?<!\.git|\.atom)/.freeze

spec/lib/banzai/filter/project_reference_filter_spec.rb

@@ -26,6 +26,12 @@ describe Banzai::Filter::ProjectReferenceFilter do
     expect(reference_filter(act).to_html).to eq(CGI.escapeHTML(exp))
   end
 
+  it 'fails fast for long invalid string' do
+    expect do
+      Timeout.timeout(5.seconds) { reference_filter("A" * 50000).to_html }
+    end.not_to raise_error
+  end
+
   it 'allows references with text after the > character' do
     doc = reference_filter("Hey #{reference}foo")
     expect(doc.css('a').first.attr('href')).to eq urls.project_url(subject)