Merge branch 'feature/gb/unsafe-regexp-logger' into 'master'

Log usage of ruby regexps into application log See merge request gitlab-org/gitlab!78458

Merge branch 'feature/gb/unsafe-regexp-logger' into 'master'
Log usage of ruby regexps into application log See merge request gitlab-org/gitlab!78458
68c68249 · Grzegorz Bizon · f88de08a · 08b10ced · 68c68249 · 68c68249
Commit 68c68249 authored Jan 19, 2022 by Grzegorz Bizon
3 changed files
--- a/config/feature_flags/ops/ci_unsafe_regexp_logger.yml
+++ b/config/feature_flags/ops/ci_unsafe_regexp_logger.yml
+---
+name: ci_unsafe_regexp_logger
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78458
+rollout_issue_url:
+milestone: '14.8'
+type: ops
+group: group::pipeline authoring
+default_enabled: true
--- a/lib/gitlab/ci/build/policy/refs.rb
+++ b/lib/gitlab/ci/build/policy/refs.rb
@@ -35,7 +35,10 @@ module Gitlab
            # patterns can be matched only when branch or tag is used
            # the pattern matching does not work for merge requests pipelines
            if pipeline.branch? || pipeline.tag?
-              if regexp = Gitlab::UntrustedRegexp::RubySyntax.fabricate(pattern, fallback: true)
+              regexp = Gitlab::UntrustedRegexp::RubySyntax
+                .fabricate(pattern, fallback: true, project: pipeline.project)
+
+              if regexp
                regexp.match?(pipeline.ref)
              else
                pattern == pipeline.ref

--- a/lib/gitlab/untrusted_regexp/ruby_syntax.rb
+++ b/lib/gitlab/untrusted_regexp/ruby_syntax.rb
@@ -20,13 +20,13 @@ module Gitlab
        !!self.fabricate(pattern, fallback: fallback)
      end

-      def self.fabricate(pattern, fallback: false)
-        self.fabricate!(pattern, fallback: fallback)
+      def self.fabricate(pattern, fallback: false, project: nil)
+        self.fabricate!(pattern, fallback: fallback, project: project)
      rescue RegexpError
        nil
      end

-      def self.fabricate!(pattern, fallback: false)
+      def self.fabricate!(pattern, fallback: false, project: nil)
        raise RegexpError, 'Pattern is not string!' unless pattern.is_a?(String)

        matches = pattern.match(PATTERN)
@@ -38,6 +38,16 @@ module Gitlab
          raise unless fallback &&
              Feature.enabled?(:allow_unsafe_ruby_regexp, default_enabled: false)

+          if Feature.enabled?(:ci_unsafe_regexp_logger, type: :ops, default_enabled: :yaml)
+            Gitlab::AppJsonLogger.info(
+              class: self.class.name,
+              regexp: pattern.to_s,
+              fabricated: 'unsafe ruby regexp',
+              project_id: project&.id,
+              project_path: project&.full_path
+            )
+          end
+
          create_ruby_regexp(matches[:regexp], matches[:flags])
        end
      end