diff options
| author | Sean McGivern <sean@gitlab.com> | 2017-07-20 13:16:00 +0000 |
|---|---|---|
| committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2017-07-20 14:40:28 +0100 |
| commit | 2ccee2bc0f95b0f8454c811adde1f06ec00374b8 (patch) | |
| tree | 5e1958e07ae547425e1a1a65ccf9a8ca3bef676c | |
| parent | 5fc5c818e8e6a56301bda84566eccfc32a0b6f50 (diff) | |
| download | gitlab-ce-2ccee2bc0f95b0f8454c811adde1f06ec00374b8.tar.gz | |
Merge branch 'fix-re2-infinite-loop-nick' into 'security-9-3'
Fix an infinite loop in Gitlab:UntrustedRegexp
See merge request !2146
| -rw-r--r-- | changelogs/unreleased/fix-re2-infinite-loop-nick.yml | 4 | ||||
| -rw-r--r-- | lib/gitlab/untrusted_regexp.rb | 29 | ||||
| -rw-r--r-- | spec/lib/gitlab/untrusted_regexp_spec.rb | 20 |
3 files changed, 45 insertions, 8 deletions
diff --git a/changelogs/unreleased/fix-re2-infinite-loop-nick.yml b/changelogs/unreleased/fix-re2-infinite-loop-nick.yml new file mode 100644 index 00000000000..3c314ab2718 --- /dev/null +++ b/changelogs/unreleased/fix-re2-infinite-loop-nick.yml @@ -0,0 +1,4 @@ +--- +title: Fix an infinite loop when handling user-supplied regular expressions +merge_request: +author: diff --git a/lib/gitlab/untrusted_regexp.rb b/lib/gitlab/untrusted_regexp.rb index 8b43f0053d6..925b2158a22 100644 --- a/lib/gitlab/untrusted_regexp.rb +++ b/lib/gitlab/untrusted_regexp.rb @@ -22,13 +22,28 @@ module Gitlab end def scan(text) - scan_regexp.scan(text).map do |match| - if regexp.number_of_capturing_groups == 0 - match.first - else - match - end + text = text.dup # modified in-place + results = [] + + loop do + match = scan_regexp.match(text) + break unless match + + # Ruby scan returns empty strings, not nil + groups = match.to_a.map(&:to_s) + + results << + if regexp.number_of_capturing_groups.zero? + groups[0] + else + groups[1..-1] + end + + text.slice!(0, match.end(0) || 1) + break unless text.present? end + + results end def replace(text, rewrite) @@ -43,7 +58,7 @@ module Gitlab # groups, so work around it def scan_regexp @scan_regexp ||= - if regexp.number_of_capturing_groups == 0 + if regexp.number_of_capturing_groups.zero? RE2::Regexp.new('(' + regexp.source + ')') else regexp diff --git a/spec/lib/gitlab/untrusted_regexp_spec.rb b/spec/lib/gitlab/untrusted_regexp_spec.rb index 66045917cb3..a2ef2a27e4c 100644 --- a/spec/lib/gitlab/untrusted_regexp_spec.rb +++ b/spec/lib/gitlab/untrusted_regexp_spec.rb @@ -46,10 +46,28 @@ describe Gitlab::UntrustedRegexp do context 'malicious regexp' do let(:text) { malicious_text } let(:regexp) { malicious_regexp } - + include_examples 'malicious regexp' end + context 'empty regexp' do + let(:regexp) { '' } + let(:text) { 'foo' } + + it 'returns an array of empty matches' do + is_expected.to eq(['', '', '']) + end + end + + context 'empty capture group regexp' do + let(:regexp) { '()' } + let(:text) { 'foo' } + + it 'returns arrays of empty matches in an array' do + is_expected.to eq([[''], [''], ['']]) + end + end + context 'no capture group' do let(:regexp) { '.+' } let(:text) { 'foo' } |