Use stricter regex for broadcast target path

e8161769 · nicolasdular · d12e63eb · e8161769 · e8161769 · e8161769
Commit e8161769 authored Apr 22, 2020 by nicolasdular
3 changed files
--- a/app/models/broadcast_message.rb
+++ b/app/models/broadcast_message.rb
@@ -105,7 +105,10 @@ class BroadcastMessage < ApplicationRecord
  def matches_current_path(current_path)
    return true if current_path.blank? || target_path.blank?

-    current_path.match(Regexp.escape(target_path).gsub('\\*', '.*'))
+    escaped = Regexp.escape(target_path).gsub('\\*', '.*')
+    regexp = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
+
+    regexp.match(current_path)
  end

  def flush_redis_cache

--- a/changelogs/unreleased/nicolasdular-improve-target-path-regex.yml
+++ b/changelogs/unreleased/nicolasdular-improve-target-path-regex.yml
+---
+title: Use stricter regex for broadcast target path
+merge_request: 30210
+author:
+type: changed
--- a/spec/models/broadcast_message_spec.rb
+++ b/spec/models/broadcast_message_spec.rb
@@ -143,6 +143,24 @@ describe BroadcastMessage do

      expect(subject.call('/group/groupname/issues').length).to eq(0)
    end
+
+    it 'does not return message if target path has no wild card at the end' do
+      create(:broadcast_message, target_path: "*/issues", broadcast_type: broadcast_type)
+
+      expect(subject.call('/group/issues/test').length).to eq(0)
+    end
+
+    it 'does not return message if target path has wild card at the end' do
+      create(:broadcast_message, target_path: "/issues/*", broadcast_type: broadcast_type)
+
+      expect(subject.call('/group/issues/test').length).to eq(0)
+    end
+
+    it 'does return message if target path has wild card at the beginning and the end' do
+      create(:broadcast_message, target_path: "*/issues/*", broadcast_type: broadcast_type)
+
+      expect(subject.call('/group/issues/test').length).to eq(1)
+    end
  end

  describe '.current', :use_clean_rails_memory_store_caching do