Log usage of ruby regexps into application log

This commit adds an ops feature flag for logging usage of untrusted ruby regexps.

Log usage of ruby regexps into application log
This commit adds an ops feature flag for logging usage of untrusted ruby regexps.
093992bb · Grzegorz Bizon · d056b0e5 · 093992bb · 093992bb · 093992bb
Commit 093992bb authored Jan 18, 2022 by Grzegorz Bizon
3 changed files
--- a/config/feature_flags/ops/ci_unsafge_regexp_logger.yml
+++ b/config/feature_flags/ops/ci_unsafge_regexp_logger.yml
+---
+name: ci_unsfage_regexp_logger
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78458
+rollout_issue_url:
+milestone: '14.7'
+type: ops
+group: group::pipeline authoring
+default_enabled: true
--- a/lib/gitlab/ci/build/policy/refs.rb
+++ b/lib/gitlab/ci/build/policy/refs.rb
@@ -35,7 +35,10 @@ module Gitlab
            # patterns can be matched only when branch or tag is used
            # the pattern matching does not work for merge requests pipelines
            if pipeline.branch? || pipeline.tag?
-              if regexp = Gitlab::UntrustedRegexp::RubySyntax.fabricate(pattern, fallback: true)
+              regexp = Gitlab::UntrustedRegexp::RubySyntax
+                .fabricate(pattern, fallback: true, project: pipeline.project)
+
+              if regexp
                regexp.match?(pipeline.ref)
              else
                pattern == pipeline.ref

--- a/lib/gitlab/untrusted_regexp/ruby_syntax.rb
+++ b/lib/gitlab/untrusted_regexp/ruby_syntax.rb
@@ -26,7 +26,7 @@ module Gitlab
        nil
      end

-      def self.fabricate!(pattern, fallback: false)
+      def self.fabricate!(pattern, fallback: false, project: nil)
        raise RegexpError, 'Pattern is not string!' unless pattern.is_a?(String)

        matches = pattern.match(PATTERN)
@@ -38,10 +38,23 @@ module Gitlab
          raise unless fallback &&
              Feature.enabled?(:allow_unsafe_ruby_regexp, default_enabled: false)

+          if log_untrusted_ruby_regexp?(project)
+            Gitlab::AppJsonLogger.info(
+              class: self.class.name,
+              project_id: project.id,
+              project_path: project.full_path,
+              regexp: pattern.to_s
+            )
+          end
+
          create_ruby_regexp(matches[:regexp], matches[:flags])
        end
      end

+      def log_untrusted_ruby_regexp?(project)
+        project.present? && Feature.enabled?(:ci_unsafe_regexp_logger, project, type: :ops, default_enabled: :yaml)
+      end
+
      def self.create_untrusted_regexp(pattern, flags)
        pattern.prepend("(?#{flags})") if flags.present?