Commit ce83fa3b authored by Rémy Coutable's avatar Rémy Coutable

Merge branch 'search-helper-escape-regexp' into 'master'

Escape search terms before passing to Regexp

## What does this MR do?

Use `Regexp.escape` to escape the search terms before passing them to `Regexp.new`.

## Why was this MR needed?

- evaluated regular expressions in search terms lead to unexpected result
- unbalanced parentheses in search term lead to server error 

## TODO

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added

## What are the relevant issue numbers?

fixes #14360

See merge request !6241
parents f6003507 e64e45db
...@@ -12,6 +12,7 @@ v 8.12.0 (unreleased) ...@@ -12,6 +12,7 @@ v 8.12.0 (unreleased)
- Change logo animation to CSS (ClemMakesApps) - Change logo animation to CSS (ClemMakesApps)
- Instructions for enabling Git packfile bitmaps !6104 - Instructions for enabling Git packfile bitmaps !6104
- Fix pagination on user snippets page - Fix pagination on user snippets page
- Escape search term before passing it to Regexp.new !6241 (winniehell)
- Change merge_error column from string to text type - Change merge_error column from string to text type
- Reduce contributions calendar data payload (ClemMakesApps) - Reduce contributions calendar data payload (ClemMakesApps)
- Add `web_url` field to issue, merge request, and snippet API objects (Ben Boeckel) - Add `web_url` field to issue, merge request, and snippet API objects (Ben Boeckel)
......
...@@ -7,8 +7,10 @@ module SearchHelper ...@@ -7,8 +7,10 @@ module SearchHelper
projects_autocomplete(term) projects_autocomplete(term)
].flatten ].flatten
search_pattern = Regexp.new(Regexp.escape(term), "i")
generic_results = project_autocomplete + default_autocomplete + help_autocomplete generic_results = project_autocomplete + default_autocomplete + help_autocomplete
generic_results.select! { |result| result[:label] =~ Regexp.new(term, "i") } generic_results.select! { |result| result[:label] =~ search_pattern }
[ [
resources_results, resources_results,
......
...@@ -32,6 +32,10 @@ describe SearchHelper do ...@@ -32,6 +32,10 @@ describe SearchHelper do
expect(search_autocomplete_opts("adm").size).to eq(1) expect(search_autocomplete_opts("adm").size).to eq(1)
end end
it "does not allow regular expression in search term" do
expect(search_autocomplete_opts("(webhooks|api)").size).to eq(0)
end
it "includes the user's groups" do it "includes the user's groups" do
create(:group).add_owner(user) create(:group).add_owner(user)
expect(search_autocomplete_opts("gro").size).to eq(1) expect(search_autocomplete_opts("gro").size).to eq(1)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment