Merge branch 'security-fix-quick-actions-extractor-regex-539' into 'master'

Prevent quick actions regex from backtracking See merge request gitlab-org/security/gitlab!1951

Merge branch 'security-fix-quick-actions-extractor-regex-539' into 'master'
Prevent quick actions regex from backtracking See merge request gitlab-org/security/gitlab!1951
fafc5cb6 · GitLab Release Tools Bot · fec794ba · 6f880114 · fafc5cb6 · fafc5cb6
Commit fafc5cb6 authored Dec 02, 2021 by GitLab Release Tools Bot
Showing with 9 additions and 3 deletions

lib/gitlab/quick_actions/extractor.rb lib/gitlab/quick_actions/extractor.rb +1 -3

spec/lib/gitlab/quick_actions/extractor_spec.rb spec/lib/gitlab/quick_actions/extractor_spec.rb +8 -0

No files found.
--- a/lib/gitlab/quick_actions/extractor.rb
+++ b/lib/gitlab/quick_actions/extractor.rb
@@ -29,9 +29,7 @@ module Gitlab
          # Anything, including `/cmd arg` which are ignored by this filter
          # `

-          `\n*
-          .+?
-          \n*`
+          `.+?`
        )
      }mix.freeze


--- a/spec/lib/gitlab/quick_actions/extractor_spec.rb
+++ b/spec/lib/gitlab/quick_actions/extractor_spec.rb
@@ -352,6 +352,14 @@ RSpec.describe Gitlab::QuickActions::Extractor do
      expect(commands).to eq(expected_commands)
      expect(msg).to eq expected_msg
    end
+
+    it 'fails fast for strings with many newlines' do
+      msg = '`' + "\n" * 100_000
+
+      expect do
+        Timeout.timeout(3.seconds) { extractor.extract_commands(msg) }
+      end.not_to raise_error
+    end
  end

  describe '#redact_commands' do