diff options
author | Alexandru Croitor <acroitor@gitlab.com> | 2019-07-17 12:54:40 +0300 |
---|---|---|
committer | Alexandru Croitor <acroitor@gitlab.com> | 2019-08-22 10:43:13 +0300 |
commit | 5af535d919c50951513f5859730afd924a01c29b (patch) | |
tree | fcd3d97c37a6b292d25c206c05ca890f7c420906 /lib/gitlab/path_regex.rb | |
parent | 8ae75677a38eafe5dda2ffe716df26a72093c5a8 (diff) | |
download | gitlab-ce-5af535d919c50951513f5859730afd924a01c29b.tar.gz |
Limit the size of issuable description and comments
Limiting the size of issuable description and comments to 1_000_000,
which is close to ~1MB of ASCII characters, which represents 99.9% of
all descriptions and comments we have in DB at the moment. This should
help prevent DoS attacks when comments contain refference strings.
Also this change updates regexp matching the namespaces paths by
limiting the namespaces paths to Namespace::NUMBER_OF_ANCESTORS_ALLOWED,
as we allow 20 levels deep groups.
see https://gitlab.com/gitlab-org/gitlab-ce/issues/61974#note_191274234
Diffstat (limited to 'lib/gitlab/path_regex.rb')
-rw-r--r-- | lib/gitlab/path_regex.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/gitlab/path_regex.rb b/lib/gitlab/path_regex.rb index f96466b2b00..d9c28ff1181 100644 --- a/lib/gitlab/path_regex.rb +++ b/lib/gitlab/path_regex.rb @@ -132,7 +132,7 @@ module Gitlab NO_SUFFIX_REGEX = /(?<!\.git|\.atom)/.freeze NAMESPACE_FORMAT_REGEX = /(?:#{NAMESPACE_FORMAT_REGEX_JS})#{NO_SUFFIX_REGEX}/.freeze PROJECT_PATH_FORMAT_REGEX = /(?:#{PATH_REGEX_STR})#{NO_SUFFIX_REGEX}/.freeze - FULL_NAMESPACE_FORMAT_REGEX = %r{(#{NAMESPACE_FORMAT_REGEX}/)*#{NAMESPACE_FORMAT_REGEX}}.freeze + FULL_NAMESPACE_FORMAT_REGEX = %r{(#{NAMESPACE_FORMAT_REGEX}/){,#{Namespace::NUMBER_OF_ANCESTORS_ALLOWED}}#{NAMESPACE_FORMAT_REGEX}}.freeze def root_namespace_route_regex @root_namespace_route_regex ||= begin |