Merge branch 'security-improve-ci-job-group-name-regexp-14-10' into '14-10-stable-ee'

Limit CI job group_name regexp See merge request gitlab-org/security/gitlab!2382

Merge branch 'security-improve-ci-job-group-name-regexp-14-10' into '14-10-stable-ee'
Limit CI job group_name regexp See merge request gitlab-org/security/gitlab!2382
c870ea7b · GitLab Release Tools Bot · ad109bc6 · 9e3fbfce · c870ea7b · c870ea7b
Commit c870ea7b authored Apr 29, 2022 by GitLab Release Tools Bot
Showing with 9 additions and 2 deletions

app/models/commit_status.rb app/models/commit_status.rb +7 -1

doc/ci/jobs/index.md doc/ci/jobs/index.md +1 -1

spec/models/commit_status_spec.rb spec/models/commit_status_spec.rb +1 -0

No files found.
--- a/app/models/commit_status.rb
+++ b/app/models/commit_status.rb
@@ -229,7 +229,13 @@ class CommitStatus < Ci::ApplicationRecord
  end
  def group_name
-    name.to_s.sub(%r{([\b\s:]+((\[.*\])|(\d+[\s:\/\\]+\d+)))+\s*\z}, '').strip
+    # [\b\s:] -> whitespace or column
+    # (\[.*\])|(\d+[\s:\/\\]+\d+) -> variables/matrix or parallel-jobs numbers
+    # {1,3} -> number of times that matches the variables/matrix or parallel-jobs numbers
+    #          we limit this to 3 because of possible abuse
+    regex = %r{([\b\s:]+((\[.*\])|(\d+[\s:\/\\]+\d+))){1,3}\s*\z}
+    name.to_s.sub(regex, '').strip
  end
  def failed_but_allowed?

--- a/doc/ci/jobs/index.md
+++ b/doc/ci/jobs/index.md
@@ -167,7 +167,7 @@ The jobs are ordered by comparing the numbers from left to right. You
 usually want the first number to be the index and the second number to be the total.
 [This regular expression](https://gitlab.com/gitlab-org/gitlab/-/blob/2f3dc314f42dbd79813e6251792853bc231e69dd/app/models/commit_status.rb#L99)
-evaluates the job names: `([\b\s:]+((\[.*\])|(\d+[\s:\/\\]+\d+)))+\s*\z`.
+evaluates the job names: `([\b\s:]+((\[.*\])|(\d+[\s:\/\\]+\d+))){1,3}\s*\z`.
 One or more `: [...]`, `X Y`, `X/Y`, or `X\Y` sequences are removed from the **end**
 of job names only. Matching substrings found at the beginning or in the middle of
 job names are not removed.

--- a/spec/models/commit_status_spec.rb
+++ b/spec/models/commit_status_spec.rb
@@ -618,6 +618,7 @@ RSpec.describe CommitStatus do
      'rspec:windows 10000 20000'                           | 'rspec:windows'
      'rspec:windows 0 : / 1'                               | 'rspec:windows'
      'rspec:windows 0 : / 1 name'                          | 'rspec:windows 0 : / 1 name'
+      'rspec [inception: [something, other thing], value]'  | 'rspec'
      '0 1 name ruby'                                       | '0 1 name ruby'
      '0 :/ 1 name ruby'                                    | '0 :/ 1 name ruby'
      'rspec: [aws]'                                        | 'rspec'