diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-30 22:02:13 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-30 22:02:13 +0000 |
commit | 516fba52cf280b9d5bad08dce9f0150f859b6cea (patch) | |
tree | 4dad71be856651af62c9a281b01087ae15480810 /app/models/releases | |
parent | c90be62bdefdb6bb67c73a9c4a6d164c9f78a28d (diff) | |
download | gitlab-ce-516fba52cf280b9d5bad08dce9f0150f859b6cea.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee
Diffstat (limited to 'app/models/releases')
-rw-r--r-- | app/models/releases/link.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/app/models/releases/link.rb b/app/models/releases/link.rb index e1dc3b904b9..82272f4857a 100644 --- a/app/models/releases/link.rb +++ b/app/models/releases/link.rb @@ -6,7 +6,9 @@ module Releases belongs_to :release - FILEPATH_REGEX = %r{\A/(?:[\-\.\w]+/?)*[\da-zA-Z]+\z}.freeze + # See https://gitlab.com/gitlab-org/gitlab/-/issues/218753 + # Regex modified to prevent catastrophic backtracking + FILEPATH_REGEX = %r{\A\/[^\/](?!.*\/\/.*)[\-\.\w\/]+[\da-zA-Z]+\z}.freeze validates :url, presence: true, addressable_url: { schemes: %w(http https ftp) }, uniqueness: { scope: :release } validates :name, presence: true, uniqueness: { scope: :release } |