Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
af9b0bfb
Commit
af9b0bfb
authored
6 years ago
by
Grzegorz Bizon
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Simplify untrusted regexp factory method
parent
61d55b56
No related merge requests found
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
16 additions
and
21 deletions
+16
-21
lib/gitlab/untrusted_regexp.rb
lib/gitlab/untrusted_regexp.rb
+6
-9
spec/lib/gitlab/ci/pipeline/expression/lexeme/pattern_spec.rb
.../lib/gitlab/ci/pipeline/expression/lexeme/pattern_spec.rb
+2
-2
spec/lib/gitlab/untrusted_regexp_spec.rb
spec/lib/gitlab/untrusted_regexp_spec.rb
+6
-10
spec/support/shared_examples/malicious_regexp_shared_examples.rb
...pport/shared_examples/malicious_regexp_shared_examples.rb
+2
-0
No files found.
lib/gitlab/untrusted_regexp.rb
View file @
af9b0bfb
...
...
@@ -55,7 +55,7 @@ module Gitlab
end
def
self
.
valid?
(
pattern
)
self
.
fabricate
(
pattern
)
!!
self
.
fabricate
(
pattern
)
rescue
RegexpError
false
end
...
...
@@ -63,16 +63,13 @@ module Gitlab
def
self
.
fabricate
(
pattern
)
matches
=
pattern
.
match
(
%r{^/(?<regexp>.+)/(?<flags>[ismU]*)$}
)
if
matches
expression
=
matches
[
:regexp
]
flags
=
matches
[
:flags
]
raise
RegexpError
,
'Invalid regular expression!'
if
matches
.
nil?
expression
.
prepend
(
"(?
#{
flags
}
)"
)
if
flags
.
present?
expression
=
matches
[
:regexp
]
flags
=
matches
[
:flags
]
expression
.
prepend
(
"(?
#{
flags
}
)"
)
if
flags
.
present?
self
.
new
(
expression
,
multiline:
false
)
else
self
.
new
(
pattern
,
multiline:
false
)
end
self
.
new
(
expression
,
multiline:
false
)
end
private
...
...
This diff is collapsed.
Click to expand it.
spec/lib/gitlab/ci/pipeline/expression/lexeme/pattern_spec.rb
View file @
af9b0bfb
...
...
@@ -79,7 +79,7 @@ describe Gitlab::Ci::Pipeline::Expression::Lexeme::Pattern do
describe
'#evaluate'
do
it
'returns a regular expression'
do
regexp
=
described_class
.
new
(
'
abc
'
)
regexp
=
described_class
.
new
(
'
/abc/
'
)
expect
(
regexp
.
evaluate
).
to
eq
Gitlab
::
UntrustedRegexp
.
new
(
'abc'
)
end
...
...
@@ -87,7 +87,7 @@ describe Gitlab::Ci::Pipeline::Expression::Lexeme::Pattern do
it
'raises error if evaluated regexp is not valid'
do
allow
(
Gitlab
::
UntrustedRegexp
).
to
receive
(
:valid?
).
and_return
(
true
)
regexp
=
described_class
.
new
(
'
invalid ( .*
'
)
regexp
=
described_class
.
new
(
'
/invalid ( .*/
'
)
expect
{
regexp
.
evaluate
}
.
to
raise_error
(
Gitlab
::
Ci
::
Pipeline
::
Expression
::
RuntimeError
)
...
...
This diff is collapsed.
Click to expand it.
spec/lib/gitlab/untrusted_regexp_spec.rb
View file @
af9b0bfb
...
...
@@ -4,9 +4,13 @@ require 'support/shared_examples/malicious_regexp_shared_examples'
describe
Gitlab
::
UntrustedRegexp
do
describe
'.valid?'
do
it
'returns true if regexp is valid'
do
expect
(
described_class
.
valid?
(
'/some ( thing/'
))
.
to
be
false
end
it
'returns true if regexp is invalid'
do
expect
(
described_class
.
valid?
(
'/some .* thing/'
))
.
to
be
true
end
end
...
...
@@ -32,17 +36,9 @@ describe Gitlab::UntrustedRegexp do
end
end
context
'when regexp is not plain pattern'
do
it
'fabricates regexp without flags'
do
regexp
=
described_class
.
fabricate
(
'something'
)
expect
(
regexp
).
to
eq
described_class
.
new
(
'something'
)
end
end
context
'when regexp is invalid'
do
context
'when regexp is a raw pattern'
do
it
'raises an error'
do
expect
{
described_class
.
fabricate
(
'
/some ( thing/
'
)
}
expect
{
described_class
.
fabricate
(
'
some .* thing
'
)
}
.
to
raise_error
(
RegexpError
)
end
end
...
...
This diff is collapsed.
Click to expand it.
spec/support/shared_examples/malicious_regexp_shared_examples.rb
View file @
af9b0bfb
require
'timeout'
shared_examples
'malicious regexp'
do
let
(
:malicious_text
)
{
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!'
}
let
(
:malicious_regexp
)
{
'(?i)^(([a-z])+.)+[A-Z]([a-z])+$'
}
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment