Merge branch 'security-use-untrusted-regexp' into 'master'

Use UntrustedRegexp for CI refs matching See merge request gitlab/gitlabhq!3005
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-04-02 07:48:24 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-04-02 07:48:24 +0000
commit: 3098259e90616c86d9c0b0c5861b9871c92b7da1 (patch)
tree: d3dd08ec097489021a698f5faceae90bc207ff25 /lib/gitlab/ci/build
parent: e116842ad9e55d2359d3dfa5e6b1c5ab049860c2 (diff)
parent: b22287f00fc10800486510c64139b4fefb38ac4c (diff)
download: gitlab-ce-3098259e90616c86d9c0b0c5861b9871c92b7da1.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/gitlab/ci/build/policy/refs.rb b/lib/gitlab/ci/build/policy/refs.rb
index df5f5ffc253..360424bec11 100644
--- a/lib/gitlab/ci/build/policy/refs.rb
+++ b/lib/gitlab/ci/build/policy/refs.rb
@@ -35,8 +35,8 @@ module Gitlab
             # patterns can be matched only when branch or tag is used
             # the pattern matching does not work for merge requests pipelines
             if pipeline.branch? || pipeline.tag?
-              if pattern.first == "/" && pattern.last == "/"
-                Regexp.new(pattern[1...-1]) =~ pipeline.ref
+              if regexp = Gitlab::UntrustedRegexp::RubySyntax.fabricate(pattern)
+                regexp.match?(pipeline.ref)
               else
                 pattern == pipeline.ref
               end
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-04-02 07:48:24 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-04-02 07:48:24 +0000
commit	3098259e90616c86d9c0b0c5861b9871c92b7da1 (patch)
tree	d3dd08ec097489021a698f5faceae90bc207ff25 /lib/gitlab/ci/build
parent	e116842ad9e55d2359d3dfa5e6b1c5ab049860c2 (diff)
parent	b22287f00fc10800486510c64139b4fefb38ac4c (diff)
download	gitlab-ce-3098259e90616c86d9c0b0c5861b9871c92b7da1.tar.gz