Merge Requests: fix validation of deployed params

f386a66e · Jonas Wälter · Igor Drozdov · cacf2fa9 · f386a66e · f386a66e
Commit f386a66e authored Nov 26, 2021 by Jonas Wälter Committed by Igor Drozdov Nov 26, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 2 deletions

app/finders/merge_requests_finder.rb app/finders/merge_requests_finder.rb +9 -2

spec/finders/merge_requests_finder_spec.rb spec/finders/merge_requests_finder_spec.rb +24 -0

No files found.
--- a/app/finders/merge_requests_finder.rb
+++ b/app/finders/merge_requests_finder.rb
@@ -174,8 +174,8 @@ class MergeRequestsFinder < IssuableFinder

  def by_deployments(items)
    env = params[:environment]
-    before = params[:deployed_before]
-    after = params[:deployed_after]
+    before = parse_datetime(params[:deployed_before])
+    after = parse_datetime(params[:deployed_after])
    id = params[:deployment_id]

    return items if !env && !before && !after && !id
@@ -218,6 +218,13 @@ class MergeRequestsFinder < IssuableFinder
      items.none
    end
  end
+
+  def parse_datetime(input)
+    # To work around http://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
+    DateTime.parse(input.byteslice(0, 128)) if input
+  rescue Date::Error
+    nil
+  end
 end

 MergeRequestsFinder.prepend_mod_with('MergeRequestsFinder')
--- a/spec/finders/merge_requests_finder_spec.rb
+++ b/spec/finders/merge_requests_finder_spec.rb
@@ -681,6 +681,18 @@ RSpec.describe MergeRequestsFinder do
          expect(mrs).to eq([mr1])
        end

+        it 'filters merge requests ignoring empty deployed_before' do
+          mrs = described_class.new(user, deployed_before: '').execute
+
+          expect(mrs.size).to eq(7)
+        end
+
+        it 'filters merge requests ignoring invalid deployed_before' do
+          mrs = described_class.new(user, deployed_before: '2021-99-99').execute
+
+          expect(mrs.size).to eq(7)
+        end
+
        it 'filters merge requests deployed after a given date' do
          mrs = described_class
            .new(user, deployed_after: '2020-10-01 12:00')
@@ -688,6 +700,18 @@ RSpec.describe MergeRequestsFinder do

          expect(mrs).to eq([mr2])
        end
+
+        it 'filters merge requests ignoring empty deployed_after' do
+          mrs = described_class.new(user, deployed_after: '').execute
+
+          expect(mrs.size).to eq(7)
+        end
+
+        it 'filters merge requests ignoring invalid deployed_after' do
+          mrs = described_class.new(user, deployed_after: '2021-99-99').execute
+
+          expect(mrs.size).to eq(7)
+        end
      end

      it 'does not raise any exception with complex filters' do