Merge branch 'security-400-path-traversal-rce2' into 'master'

Update maven file_name regex for full string See merge request gitlab/gitlab-ee!1503

Merge branch 'security-400-path-traversal-rce2' into 'master'
Update maven file_name regex for full string See merge request gitlab/gitlab-ee!1503
f82020ea · Alessio Caiazza · bd794d6e · 21d68d27 · f82020ea · f82020ea
Commit f82020ea authored Dec 09, 2019 by Alessio Caiazza
3 changed files
--- a/changelogs/unreleased/security-400-path-traversal-rce2.yml
+++ b/changelogs/unreleased/security-400-path-traversal-rce2.yml
+---
+title: Update maven_file_name_regex for full string match
+merge_request:
+author:
+type: security
--- a/ee/lib/ee/gitlab/regex.rb
+++ b/ee/lib/ee/gitlab/regex.rb
@@ -28,7 +28,7 @@ module EE
        end

        def maven_file_name_regex
-          @maven_file_name_regex ||= %r{^[A-Za-z0-9\.\_\-\+]+$}.freeze
+          @maven_file_name_regex ||= %r{\A[A-Za-z0-9\.\_\-\+]+\z}.freeze
        end

        def maven_path_regex

--- a/ee/spec/lib/gitlab/regex_spec.rb
+++ b/ee/spec/lib/gitlab/regex_spec.rb
@@ -67,6 +67,7 @@ describe Gitlab::Regex do
    it { is_expected.not_to match('@@foo/bar') }
    it { is_expected.not_to match('my package name') }
    it { is_expected.not_to match('!!()()') }
+    it { is_expected.not_to match("..\n..\foo") }
  end

  describe '.maven_file_name_regex' do