Commit f99e3bb8 authored by dcouture's avatar dcouture

Fix regex backtracking issue in package_name_regex

The regex now uses "Atomic Groups" to make sure there is no backtracking
and no performance issues on malicious package names
parent ccfbc5da
---
title: Fix regular expression backtracking issue in package name validation
merge_request:
author:
type: security
...@@ -27,7 +27,18 @@ module Gitlab ...@@ -27,7 +27,18 @@ module Gitlab
end end
def package_name_regex def package_name_regex
@package_name_regex ||= %r{\A\@?(([\w\-\.\+]*)\/)*([\w\-\.]+)@?(([\w\-\.\+]*)\/)*([\w\-\.]*)\z}.freeze @package_name_regex ||=
%r{
\A\@?
(?> # atomic group to prevent backtracking
(([\w\-\.\+]*)\/)*([\w\-\.]+)
)
@?
(?> # atomic group to prevent backtracking
(([\w\-\.\+]*)\/)*([\w\-\.]*)
)
\z
}x.freeze
end end
def maven_file_name_regex def maven_file_name_regex
......
...@@ -292,6 +292,12 @@ RSpec.describe Gitlab::Regex do ...@@ -292,6 +292,12 @@ RSpec.describe Gitlab::Regex do
it { is_expected.not_to match('my package name') } it { is_expected.not_to match('my package name') }
it { is_expected.not_to match('!!()()') } it { is_expected.not_to match('!!()()') }
it { is_expected.not_to match("..\n..\foo") } it { is_expected.not_to match("..\n..\foo") }
it 'has no backtracking issue' do
Timeout.timeout(1) do
expect(subject).not_to match("-" * 50000 + ";")
end
end
end end
describe '.maven_file_name_regex' do describe '.maven_file_name_regex' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment