Merge branch 'security-fixes-release-asset-link-filepath-ReDoS' into 'master'

Fixes release asset link filepath ReDoS See merge request gitlab-org/security/gitlab!924

Merge branch 'security-fixes-release-asset-link-filepath-ReDoS' into 'master'
Fixes release asset link filepath ReDoS See merge request gitlab-org/security/gitlab!924
c6023d15 · GitLab Release Tools Bot · 8399fb66 · 73cc5591 · c6023d15 · c6023d15
Commit c6023d15 authored Sep 25, 2020 by GitLab Release Tools Bot
Showing with 8 additions and 1 deletion

app/models/releases/link.rb app/models/releases/link.rb +3 -1

changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml ...ased/security-fixes-release-asset-link-filepath-ReDoS.yml +5 -0

No files found.
--- a/app/models/releases/link.rb
+++ b/app/models/releases/link.rb
@@ -6,7 +6,9 @@ module Releases

    belongs_to :release

-    FILEPATH_REGEX = %r{\A/(?:[\-\.\w]+/?)*[\da-zA-Z]+\z}.freeze
+    # See https://gitlab.com/gitlab-org/gitlab/-/issues/218753
+    # Regex modified to prevent catastrophic backtracking
+    FILEPATH_REGEX = %r{\A\/[^\/](?!.*\/\/.*)[\-\.\w\/]+[\da-zA-Z]+\z}.freeze

    validates :url, presence: true, addressable_url: { schemes: %w(http https ftp) }, uniqueness: { scope: :release }
    validates :name, presence: true, uniqueness: { scope: :release }

--- a/changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml
+++ b/changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml
+---
+title: Fixes release asset link filepath ReDoS
+merge_request:
+author:
+type: security