diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-28 22:02:13 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-28 22:02:23 +0000 |
commit | cda92b051261cb820ed3ea9683865aeb85890411 (patch) | |
tree | c1c49629eb0aebd9806775d56eb329797d6ecfc0 /app/uploaders | |
parent | cbc166ca72db07da07995c60bbbf4e83ba30699d (diff) | |
download | gitlab-ce-cda92b051261cb820ed3ea9683865aeb85890411.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee
Diffstat (limited to 'app/uploaders')
-rw-r--r-- | app/uploaders/file_uploader.rb | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb index bf5be708060..7250ce5c0b0 100644 --- a/app/uploaders/file_uploader.rb +++ b/app/uploaders/file_uploader.rb @@ -14,7 +14,12 @@ class FileUploader < GitlabUploader include ObjectStorage::Concern prepend ObjectStorage::Extension::RecordsUploads - MARKDOWN_PATTERN = %r{\!?\[.*?\]\(/uploads/(?<secret>[0-9a-f]{32})/(?<file>.*?)\)}.freeze + # This pattern is vulnerable to malicious inputs, so use Gitlab::UntrustedRegexp + # to place bounds on execution time + MARKDOWN_PATTERN = Gitlab::UntrustedRegexp.new( + '!?\[.*?\]\(/uploads/(?P<secret>[0-9a-f]{32})/(?P<file>.*?)\)' + ) + DYNAMIC_PATH_PATTERN = %r{.*(?<secret>\b(\h{10}|\h{32}))\/(?<identifier>.*)}.freeze VALID_SECRET_PATTERN = %r{\A\h{10,32}\z}.freeze |