diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-03-31 00:04:18 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-03-31 00:04:18 +0000 |
commit | 386b6dbcda5bb479ff0a6038d5dcf188bcd878b8 (patch) | |
tree | bf9f655c2546eed57ee03aee07317abf9399cca5 /app/models | |
parent | f5ed5550433a5fedd128542680a94a2c9407919e (diff) | |
download | gitlab-ce-386b6dbcda5bb479ff0a6038d5dcf188bcd878b8.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-9-stable-ee
Diffstat (limited to 'app/models')
-rw-r--r-- | app/models/releases/link.rb | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/app/models/releases/link.rb b/app/models/releases/link.rb index acc56d3980a..347adbdf96a 100644 --- a/app/models/releases/link.rb +++ b/app/models/releases/link.rb @@ -9,10 +9,20 @@ module Releases # See https://gitlab.com/gitlab-org/gitlab/-/issues/218753 # Regex modified to prevent catastrophic backtracking FILEPATH_REGEX = %r{\A\/[^\/](?!.*\/\/.*)[\-\.\w\/]+[\da-zA-Z]+\z}.freeze + FILEPATH_MAX_LENGTH = 128 validates :url, presence: true, addressable_url: { schemes: %w(http https ftp) }, uniqueness: { scope: :release } validates :name, presence: true, uniqueness: { scope: :release } - validates :filepath, uniqueness: { scope: :release }, format: { with: FILEPATH_REGEX }, allow_blank: true, length: { maximum: 128 } + validates :filepath, uniqueness: { scope: :release }, allow_blank: true + validate :filepath_format_valid? + + # we use a custom validator here to prevent running the regex if the string is too long + # see https://gitlab.com/gitlab-org/gitlab/-/issues/273771 + def filepath_format_valid? + return if filepath.nil? # valid use case + return errors.add(:filepath, "is too long (maximum is #{FILEPATH_MAX_LENGTH} characters)") if filepath.length > FILEPATH_MAX_LENGTH + return errors.add(:filepath, 'is in an invalid format') unless FILEPATH_REGEX.match? filepath + end scope :sorted, -> { order(created_at: :desc) } |