Add variables expression pattern validation support

3 files changed, 20 insertions, 1 deletions

diff --git a/lib/gitlab/ci/pipeline/expression/lexeme/pattern.rb b/lib/gitlab/ci/pipeline/expression/lexeme/pattern.rb
index 53fb5f769d8..70a221010f3 100644
--- a/lib/gitlab/ci/pipeline/expression/lexeme/pattern.rb
+++ b/lib/gitlab/ci/pipeline/expression/lexeme/pattern.rb
@@ -10,6 +10,10 @@ module Gitlab
 
             def initialize(regexp)
               @value = regexp
+
+              unless Gitlab::UntrustedRegexp.valid?(@value)
+                raise Lexer::SyntaxError, 'Invalid regular expression!'
+              end
             end
 
             def evaluate(variables = {})
diff --git a/spec/lib/gitlab/ci/config/entry/policy_spec.rb b/spec/lib/gitlab/ci/config/entry/policy_spec.rb
index 08718c382b9..83d39b82068 100644
--- a/spec/lib/gitlab/ci/config/entry/policy_spec.rb
+++ b/spec/lib/gitlab/ci/config/entry/policy_spec.rb
@@ -111,7 +111,15 @@ describe Gitlab::Ci::Config::Entry::Policy do
     context 'when specifying invalid variables expressions token' do
       let(:config) { { variables: ['$MY_VAR == 123'] } }
 
-      it 'reports an error about invalid statement' do
+      it 'reports an error about invalid expression' do
+        expect(entry.errors).to include /invalid expression syntax/
+      end
+    end
+
+    context 'when using invalid variables expressions regexp' do
+      let(:config) { { variables: ['$MY_VAR =~ /some ( thing/'] } }
+
+      it 'reports an error about invalid expression' do
         expect(entry.errors).to include /invalid expression syntax/
       end
     end
diff --git a/spec/lib/gitlab/ci/pipeline/expression/lexeme/pattern_spec.rb b/spec/lib/gitlab/ci/pipeline/expression/lexeme/pattern_spec.rb
index 6435ee5c915..c63c38b1dbc 100644
--- a/spec/lib/gitlab/ci/pipeline/expression/lexeme/pattern_spec.rb
+++ b/spec/lib/gitlab/ci/pipeline/expression/lexeme/pattern_spec.rb
@@ -6,6 +6,11 @@ describe Gitlab::Ci::Pipeline::Expression::Lexeme::Pattern do
       expect(described_class.build('/.*/'))
         .to be_a(described_class)
     end
+
+    it 'raises an error if pattern is invalid' do
+      expect { described_class.build('/ some ( thin/i') }
+        .to raise_error(Gitlab::Ci::Pipeline::Expression::Lexer::SyntaxError)
+    end
   end
 
   describe '.type' do
@@ -80,6 +85,8 @@ describe Gitlab::Ci::Pipeline::Expression::Lexeme::Pattern do
     end
 
     it 'raises error if evaluated regexp is not valid' do
+      allow(Gitlab::UntrustedRegexp).to receive(:valid?).and_return(true)
+
       regexp = described_class.new('invalid ( .*')
 
       expect { regexp.evaluate }