Fix regex backtracking issue in package_name_regex

The regex now uses "Atomic Groups" to make sure there is no backtracking and no performance issues on malicious package names

Fix regex backtracking issue in package_name_regex
The regex now uses "Atomic Groups" to make sure there is no backtracking and no performance issues on malicious package names
f99e3bb8 · dcouture · ccfbc5da · f99e3bb8 · f99e3bb8 · f99e3bb8
Commit f99e3bb8 authored Dec 01, 2020 by dcouture
3 changed files
--- a/changelogs/unreleased/security-package-regex-dos.yml
+++ b/changelogs/unreleased/security-package-regex-dos.yml
+---
+title: Fix regular expression backtracking issue in package name validation
+merge_request:
+author:
+type: security
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -27,7 +27,18 @@ module Gitlab
      end

      def package_name_regex
-        @package_name_regex ||= %r{\A\@?(([\w\-\.\+]*)\/)*([\w\-\.]+)@?(([\w\-\.\+]*)\/)*([\w\-\.]*)\z}.freeze
+        @package_name_regex ||=
+          %r{
+              \A\@?
+              (?> # atomic group to prevent backtracking
+                (([\w\-\.\+]*)\/)*([\w\-\.]+)
+              )
+              @?
+              (?> # atomic group to prevent backtracking
+                (([\w\-\.\+]*)\/)*([\w\-\.]*)
+              )
+              \z
+            }x.freeze
      end

      def maven_file_name_regex

--- a/spec/lib/gitlab/regex_spec.rb
+++ b/spec/lib/gitlab/regex_spec.rb
@@ -292,6 +292,12 @@ RSpec.describe Gitlab::Regex do
    it { is_expected.not_to match('my package name') }
    it { is_expected.not_to match('!!()()') }
    it { is_expected.not_to match("..\n..\foo") }
+
+    it 'has no backtracking issue' do
+      Timeout.timeout(1) do
+        expect(subject).not_to match("-" * 50000 + ";")
+      end
+    end
  end

  describe '.maven_file_name_regex' do