Merge branch 'security-61974-limit-issue-comment-size' into 'master'

Limit the size of issuable description and comments See merge request gitlab/gitlabhq!3267
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-29 21:34:15 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-29 21:34:15 +0000
commit: b01c7ad291a81bc23d2c3fe7266eaf05de6cb434 (patch)
tree: 87f9ce5d469b330aa336f675194d1ce11b4b38c2 /lib
parent: a5b2a3786056ddf99de06c8315e9a42c3bf86cd5 (diff)
parent: 5af535d919c50951513f5859730afd924a01c29b (diff)
download: gitlab-ce-b01c7ad291a81bc23d2c3fe7266eaf05de6cb434.tar.gz
2 files changed, 5 insertions, 1 deletions
diff --git a/lib/gitlab/database.rb b/lib/gitlab/database.rb
index cbdff0ab060..707466426db 100644
--- a/lib/gitlab/database.rb
+++ b/lib/gitlab/database.rb
@@ -13,6 +13,10 @@ module Gitlab
     # FIXME: this should just be the max value of timestampz
     MAX_TIMESTAMP_VALUE = Time.at((1 << 31) - 1).freeze
 
+    # The maximum number of characters for text fields, to avoid DoS attacks via parsing huge text fields
+    # https://gitlab.com/gitlab-org/gitlab-ce/issues/61974
+    MAX_TEXT_SIZE_LIMIT = 1_000_000
+
     # Minimum schema version from which migrations are supported
     # Migrations before this version may have been removed
     MIN_SCHEMA_VERSION = 20190506135400
diff --git a/lib/gitlab/path_regex.rb b/lib/gitlab/path_regex.rb
index f96466b2b00..d9c28ff1181 100644
--- a/lib/gitlab/path_regex.rb
+++ b/lib/gitlab/path_regex.rb
@@ -132,7 +132,7 @@ module Gitlab
     NO_SUFFIX_REGEX = /(?<!\.git|\.atom)/.freeze
     NAMESPACE_FORMAT_REGEX = /(?:#{NAMESPACE_FORMAT_REGEX_JS})#{NO_SUFFIX_REGEX}/.freeze
     PROJECT_PATH_FORMAT_REGEX = /(?:#{PATH_REGEX_STR})#{NO_SUFFIX_REGEX}/.freeze
-    FULL_NAMESPACE_FORMAT_REGEX = %r{(#{NAMESPACE_FORMAT_REGEX}/)*#{NAMESPACE_FORMAT_REGEX}}.freeze
+    FULL_NAMESPACE_FORMAT_REGEX = %r{(#{NAMESPACE_FORMAT_REGEX}/){,#{Namespace::NUMBER_OF_ANCESTORS_ALLOWED}}#{NAMESPACE_FORMAT_REGEX}}.freeze
 
     def root_namespace_route_regex
       @root_namespace_route_regex ||= begin
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-29 21:34:15 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-29 21:34:15 +0000
commit	b01c7ad291a81bc23d2c3fe7266eaf05de6cb434 (patch)
tree	87f9ce5d469b330aa336f675194d1ce11b4b38c2 /lib
parent	a5b2a3786056ddf99de06c8315e9a42c3bf86cd5 (diff)
parent	5af535d919c50951513f5859730afd924a01c29b (diff)
download	gitlab-ce-b01c7ad291a81bc23d2c3fe7266eaf05de6cb434.tar.gz