From b304a72312465ed4c0a568ee6a6ea5e97f705c9b Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 17 Feb 2020 15:09:01 +0000 Subject: Add latest changes from gitlab-org/gitlab@master --- spec/models/user_spec.rb | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) (limited to 'spec/models/user_spec.rb') diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 36ddb624cba..cd84bf54e8f 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -303,6 +303,20 @@ describe User, :do_not_mock_admin_mode do end end + context 'bad regex' do + before do + allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['([a-zA-Z0-9]+)+\.com']) + end + + it 'does not hang on evil input' do + user = build(:user, email: 'user@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!.com') + + expect do + Timeout.timeout(2.seconds) { user.valid? } + end.not_to raise_error + end + end + context 'when a signup domain is whitelisted and subdomains are allowed' do before do allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['example.com', '*.example.com']) @@ -356,6 +370,20 @@ describe User, :do_not_mock_admin_mode do allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['example.com']) end + context 'bad regex' do + before do + allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['([a-zA-Z0-9]+)+\.com']) + end + + it 'does not hang on evil input' do + user = build(:user, email: 'user@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!.com') + + expect do + Timeout.timeout(2.seconds) { user.valid? } + end.not_to raise_error + end + end + context 'when a signup domain is blacklisted' do it 'accepts info@test.com' do user = build(:user, email: 'info@test.com') -- cgit v1.2.1