diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 14:09:54 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 14:09:54 +0000 |
| commit | 37823295027da50ff5bc14df482b8cba09bf41b4 (patch) | |
| tree | b2a9e1deb265b777cb20cb6b4c512be955153a3b /config | |
| parent | 6bea43795252f980eeee7ce67413ef440da88a31 (diff) | |
| download | gitlab-ce-37823295027da50ff5bc14df482b8cba09bf41b4.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee
Diffstat (limited to 'config')
| -rw-r--r-- | config/initializers/net_http_response_patch.rb | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/config/initializers/net_http_response_patch.rb b/config/initializers/net_http_response_patch.rb new file mode 100644 index 00000000000..4ffe227a3fd --- /dev/null +++ b/config/initializers/net_http_response_patch.rb @@ -0,0 +1,46 @@ +# frozen_string_literal: true + +module Net + class HTTPResponse + # rubocop: disable Cop/LineBreakAfterGuardClauses + # rubocop: disable Cop/LineBreakAroundConditionalBlock + # rubocop: disable Layout/EmptyLineAfterGuardClause + # rubocop: disable Style/AndOr + # rubocop: disable Style/CharacterLiteral + # rubocop: disable Style/InfiniteLoop + + # Original method: + # https://github.com/ruby/ruby/blob/v2_7_5/lib/net/http/response.rb#L54-L69 + # + # Our changes: + # - Pass along the `start_time` to `Gitlab::BufferedIo`, so we can raise a timeout + # if reading the headers takes too long. + # - Limit the regexes to avoid ReDoS attacks. + def self.each_response_header(sock) + start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC) + key = value = nil + while true + line = sock.is_a?(Gitlab::BufferedIo) ? sock.readuntil("\n", true, start_time) : sock.readuntil("\n", true) + line = line.sub(/\s{0,10}\z/, '') + break if line.empty? + if line[0] == ?\s or line[0] == ?\t and value + # :nocov: + value << ' ' unless value.empty? + value << line.strip + # :nocov: + else + yield key, value if key + key, value = line.strip.split(/\s{0,10}:\s{0,10}/, 2) + raise Net::HTTPBadResponse, 'wrong header line format' if value.nil? + end + end + yield key, value if key + end + # rubocop: enable Cop/LineBreakAfterGuardClauses + # rubocop: enable Cop/LineBreakAroundConditionalBlock + # rubocop: enable Layout/EmptyLineAfterGuardClause + # rubocop: enable Style/AndOr + # rubocop: enable Style/CharacterLiteral + # rubocop: enable Style/InfiniteLoop + end +end |