Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-09-30 22:02:13 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-09-30 22:02:13 +0000
commit: 516fba52cf280b9d5bad08dce9f0150f859b6cea (patch)
tree: 4dad71be856651af62c9a281b01087ae15480810 /app/models/releases
parent: c90be62bdefdb6bb67c73a9c4a6d164c9f78a28d (diff)
download: gitlab-ce-516fba52cf280b9d5bad08dce9f0150f859b6cea.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/app/models/releases/link.rb b/app/models/releases/link.rb
index e1dc3b904b9..82272f4857a 100644
--- a/app/models/releases/link.rb
+++ b/app/models/releases/link.rb
@@ -6,7 +6,9 @@ module Releases
 
     belongs_to :release
 
-    FILEPATH_REGEX = %r{\A/(?:[\-\.\w]+/?)*[\da-zA-Z]+\z}.freeze
+    # See https://gitlab.com/gitlab-org/gitlab/-/issues/218753
+    # Regex modified to prevent catastrophic backtracking
+    FILEPATH_REGEX = %r{\A\/[^\/](?!.*\/\/.*)[\-\.\w\/]+[\da-zA-Z]+\z}.freeze
 
     validates :url, presence: true, addressable_url: { schemes: %w(http https ftp) }, uniqueness: { scope: :release }
     validates :name, presence: true, uniqueness: { scope: :release }
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-09-30 22:02:13 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-09-30 22:02:13 +0000
commit	516fba52cf280b9d5bad08dce9f0150f859b6cea (patch)
tree	4dad71be856651af62c9a281b01087ae15480810 /app/models/releases
parent	c90be62bdefdb6bb67c73a9c4a6d164c9f78a28d (diff)
download	gitlab-ce-516fba52cf280b9d5bad08dce9f0150f859b6cea.tar.gz