Commit ba3ce318 authored by Robert Speicher's avatar Robert Speicher

Merge branch 'custom-emoji-name-validation' into 'master'

Improve Custom Emoji name validation regular expression

See merge request gitlab-org/gitlab!48918
parents cf768361 ab5b735b
...@@ -17,7 +17,7 @@ class CustomEmoji < ApplicationRecord ...@@ -17,7 +17,7 @@ class CustomEmoji < ApplicationRecord
uniqueness: { scope: [:namespace_id, :name] }, uniqueness: { scope: [:namespace_id, :name] },
presence: true, presence: true,
length: { maximum: 36 }, length: { maximum: 36 },
format: { with: /\A([a-z0-9]+[-_]?)+[a-z0-9]+\z/ } format: { with: /\A[a-z0-9][a-z0-9\-_]*[a-z0-9]\z/ }
private private
......
---
title: Fix regular expression backtracking issue in custom emoji name validation
merge_request:
author:
type: security
...@@ -22,6 +22,15 @@ RSpec.describe CustomEmoji do ...@@ -22,6 +22,15 @@ RSpec.describe CustomEmoji do
expect(new_emoji.errors.messages).to eq(name: ["#{emoji_name} is already being used for another emoji"]) expect(new_emoji.errors.messages).to eq(name: ["#{emoji_name} is already being used for another emoji"])
end end
it 'disallows very long invalid emoji name without regular expression backtracking issues' do
new_emoji = build(:custom_emoji, name: 'a' * 10000 + '!', group: group)
Timeout.timeout(1) do
expect(new_emoji).not_to be_valid
expect(new_emoji.errors.messages).to eq(name: ["is too long (maximum is 36 characters)", "is invalid"])
end
end
it 'disallows duplicate custom emoji names within namespace' do it 'disallows duplicate custom emoji names within namespace' do
old_emoji = create(:custom_emoji, group: group) old_emoji = create(:custom_emoji, group: group)
new_emoji = build(:custom_emoji, name: old_emoji.name, namespace: old_emoji.namespace, group: group) new_emoji = build(:custom_emoji, name: old_emoji.name, namespace: old_emoji.namespace, group: group)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment