diff options
author | Sean McGivern <sean@gitlab.com> | 2018-01-15 14:49:27 +0000 |
---|---|---|
committer | Sean McGivern <sean@gitlab.com> | 2018-01-16 11:56:07 +0000 |
commit | 82f4564fb7dc57a9a7bb6a052926ee219bb29b13 (patch) | |
tree | 47ba9aacaa5ca1be77a97800021d2c3821dd0799 /lib | |
parent | 1df5c74fc94a0fbeb7b89b7e10655626b58a5bc6 (diff) | |
download | gitlab-ce-82f4564fb7dc57a9a7bb6a052926ee219bb29b13.tar.gz |
Fix project search results for digits surrounded by colons
A file containing /:\d+:/ in its contents would break the search results if
those contents were part of the results, because we were splitting on colons,
which can't work with untrusted input.
Changing to use the null byte as a separator is much safer.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/project_search_results.rb | 13 |
1 files changed, 4 insertions, 9 deletions
diff --git a/lib/gitlab/project_search_results.rb b/lib/gitlab/project_search_results.rb index e2662fc362b..7771b15069b 100644 --- a/lib/gitlab/project_search_results.rb +++ b/lib/gitlab/project_search_results.rb @@ -44,25 +44,20 @@ module Gitlab ref = nil filename = nil basename = nil + data = "" startline = 0 - result.each_line.each_with_index do |line, index| - matches = line.match(/^(?<ref>[^:]*):(?<filename>.*):(?<startline>\d+):/) - if matches + result.strip.each_line.each_with_index do |line, index| + prefix ||= line.match(/^(?<ref>[^:]*):(?<filename>.*)\x00(?<startline>\d+)\x00/)&.tap do |matches| ref = matches[:ref] filename = matches[:filename] startline = matches[:startline] startline = startline.to_i - index extname = Regexp.escape(File.extname(filename)) basename = filename.sub(/#{extname}$/, '') - break end - end - - data = "" - result.each_line do |line| - data << line.sub(ref, '').sub(filename, '').sub(/^:-\d+-/, '').sub(/^::\d+:/, '') + data << line.sub(prefix.to_s, '') end FoundBlob.new( |