Prevent DOS when rendering math markdown

Merge branch 'security-prevent_math_markdown_rendering_dos' into 'master'

See merge request gitlab-org/security/gitlab!2088

Changelog: security

lib/banzai/filter/math_filter.rb

@@ -25,7 +25,14 @@ module Banzai
 
       DOLLAR_SIGN = '$'
 
+      # Limit to how many nodes can be marked as math elements.
+      # Prevents timeouts for large notes.
+      # For more information check: https://gitlab.com/gitlab-org/gitlab/-/issues/341832
+      RENDER_NODES_LIMIT = 50
+
       def call
+        nodes_count = 0
+
         doc.xpath(XPATH_CODE).each do |code|
           closing = code.next
           opening = code.previous
@@ -41,6 +48,9 @@ module Banzai
             code[STYLE_ATTRIBUTE] = 'inline'
             closing.content = closing.content[1..]
             opening.content = opening.content[0..-2]
+
+            nodes_count += 1
+            break if nodes_count >= RENDER_NODES_LIMIT
           end
         end
 

spec/lib/banzai/filter/math_filter_spec.rb

@@ -126,4 +126,12 @@ RSpec.describe Banzai::Filter::MathFilter do
     expect(before.to_s).to eq '$'
     expect(after.to_s).to eq '$'
   end
+
+  it 'limits how many elements can be marked as math' do
+    stub_const('Banzai::Filter::MathFilter::RENDER_NODES_LIMIT', 2)
+
+    doc = filter('$<code>2+2</code>$ + $<code>3+3</code>$ + $<code>4+4</code>$')
+
+    expect(doc.search('.js-render-math').count).to eq(2)
+  end
 end