Prevent Billion Laughs attack

It keeps track of the memory being used when loading the YAML file as well as the depth of nesting. Track exception when YAML is too big
author: Fabio Pitino <fpitino@gitlab.com> 2019-07-02 06:23:06 +0000
committer: Marin Jankovski <marin@gitlab.com> 2019-07-02 06:23:06 +0000
commit: abceda6cc5fa796d9bd0d7311b386787e6919266 (patch)
tree: 3a6f0cc62d9e0c42267562547be45ea5ea2d858f /spec/lib/gitlab/ci
parent: 23dedd53a73a01429c0a5c99414548694f1fab0b (diff)
download: gitlab-ce-abceda6cc5fa796d9bd0d7311b386787e6919266.tar.gz
1 files changed, 21 insertions, 0 deletions
diff --git a/spec/lib/gitlab/ci/config_spec.rb b/spec/lib/gitlab/ci/config_spec.rb
index 7f336ee853e..4e8bff3d738 100644
--- a/spec/lib/gitlab/ci/config_spec.rb
+++ b/spec/lib/gitlab/ci/config_spec.rb
@@ -90,6 +90,27 @@ describe Gitlab::Ci::Config do
       end
     end
 
+    context 'when yml is too big' do
+      let(:yml) do
+        <<~YAML
+          --- &1
+          - hi
+          - *1
+        YAML
+      end
+
+      describe '.new' do
+        it 'raises error' do
+          expect(Gitlab::Sentry).to receive(:track_exception)
+
+          expect { config }.to raise_error(
+            described_class::ConfigError,
+            /The parsed YAML is too big/
+          )
+        end
+      end
+    end
+
     context 'when config logic is incorrect' do
       let(:yml) { 'before_script: "ls"' }
author	Fabio Pitino <fpitino@gitlab.com>	2019-07-02 06:23:06 +0000
committer	Marin Jankovski <marin@gitlab.com>	2019-07-02 06:23:06 +0000
commit	abceda6cc5fa796d9bd0d7311b386787e6919266 (patch)
tree	3a6f0cc62d9e0c42267562547be45ea5ea2d858f /spec/lib/gitlab/ci
parent	23dedd53a73a01429c0a5c99414548694f1fab0b (diff)
download	gitlab-ce-abceda6cc5fa796d9bd0d7311b386787e6919266.tar.gz