Fix color validation regex

Also prevents ReDoS vulnerability
author: Heinrich Lee Yu <heinrich@gitlab.com> 2019-06-12 22:48:38 +0800
committer: Heinrich Lee Yu <heinrich@gitlab.com> 2019-06-25 09:06:26 +0800
commit: 717824144f8181bef524592eab882dd7525a60ef (patch)
tree: 34ab75284acca146e6aa0a5f16429e485e81cb97 /spec/validators
parent: db9783f7826ed5ba58a8941dd80a1cd7dda517b0 (diff)
download: gitlab-ce-717824144f8181bef524592eab882dd7525a60ef.tar.gz
1 files changed, 43 insertions, 0 deletions
diff --git a/spec/validators/color_validator_spec.rb b/spec/validators/color_validator_spec.rb
new file mode 100644
index 00000000000..e5a38ac9372
--- /dev/null
+++ b/spec/validators/color_validator_spec.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ColorValidator do
+  using RSpec::Parameterized::TableSyntax
+
+  subject do
+    Class.new do
+      include ActiveModel::Model
+      include ActiveModel::Validations
+      attr_accessor :color
+      validates :color, color: true
+    end.new
+  end
+
+  where(:color, :is_valid) do
+    '#000abc'    | true
+    '#aaa'       | true
+    '#BBB'       | true
+    '#cCc'       | true
+    '#ffff'      | false
+    '#000111222' | false
+    'invalid'    | false
+    '000'        | false
+  end
+
+  with_them do
+    it 'only accepts valid colors' do
+      subject.color = color
+
+      expect(subject.valid?).to eq(is_valid)
+    end
+  end
+
+  it 'fails fast for long invalid string' do
+    subject.color = '#' + ('0' * 50_000) + 'xxx'
+
+    expect do
+      Timeout.timeout(5.seconds) { subject.valid? }
+    end.not_to raise_error
+  end
+end
author	Heinrich Lee Yu <heinrich@gitlab.com>	2019-06-12 22:48:38 +0800
committer	Heinrich Lee Yu <heinrich@gitlab.com>	2019-06-25 09:06:26 +0800
commit	717824144f8181bef524592eab882dd7525a60ef (patch)
tree	34ab75284acca146e6aa0a5f16429e485e81cb97 /spec/validators
parent	db9783f7826ed5ba58a8941dd80a1cd7dda517b0 (diff)
download	gitlab-ce-717824144f8181bef524592eab882dd7525a60ef.tar.gz