Merge branch 'security-nuget-api-regex-dos' into 'master'

Update non-negative integer regex to protect against regex DoS See merge request gitlab-org/security/gitlab!1127

Merge branch 'security-nuget-api-regex-dos' into 'master'
Update non-negative integer regex to protect against regex DoS See merge request gitlab-org/security/gitlab!1127
5a9daf91 · GitLab Release Tools Bot · 344f7d39 · 2ce7ae03 · 5a9daf91 · 5a9daf91
Commit 5a9daf91 authored Jan 05, 2021 by GitLab Release Tools Bot
Showing with 6 additions and 1 deletion

changelogs/unreleased/security-nuget-regex-update-redos.yml changelogs/unreleased/security-nuget-regex-update-redos.yml +5 -0

lib/api/concerns/packages/nuget_endpoints.rb lib/api/concerns/packages/nuget_endpoints.rb +1 -1

No files found.
--- a/changelogs/unreleased/security-nuget-regex-update-redos.yml
+++ b/changelogs/unreleased/security-nuget-regex-update-redos.yml
+---
+title: Update NuGet regular expression to protect against ReDoS
+merge_request:
+author:
+type: security
--- a/lib/api/concerns/packages/nuget_endpoints.rb
+++ b/lib/api/concerns/packages/nuget_endpoints.rb
@@ -15,7 +15,7 @@ module API
        extend ActiveSupport::Concern

        POSITIVE_INTEGER_REGEX = %r{\A[1-9]\d*\z}.freeze
-        NON_NEGATIVE_INTEGER_REGEX = %r{\A0|[1-9]\d*\z}.freeze
+        NON_NEGATIVE_INTEGER_REGEX = %r{\A(0|[1-9]\d*)\z}.freeze

        included do
          helpers do