Prevent DOS when rendering math markdown

Merge branch 'security-prevent_math_markdown_rendering_dos-14-7' into '14-7-stable-ee' See merge request gitlab-org/security/gitlab!2200 Changelog: security

Prevent DOS when rendering math markdown
f01674f2 · Felipe Artur · GitLab Release Tools Bot · dfd1d9f3 · f01674f2 · f01674f2
Commit f01674f2 authored 3 years ago by Felipe Artur Committed by GitLab Release Tools Bot 3 years ago
--- a/lib/banzai/filter/math_filter.rb
+++ b/lib/banzai/filter/math_filter.rb
@@ -25,7 +25,14 @@ module Banzai
  
      DOLLAR_SIGN = '$'
  
+      # Limit to how many nodes can be marked as math elements.
+      # Prevents timeouts for large notes.
+      # For more information check: https://gitlab.com/gitlab-org/gitlab/-/issues/341832
+      RENDER_NODES_LIMIT = 50
+
      def call
+        nodes_count = 0
+
        doc.xpath(XPATH_CODE).each do |code|
          closing = code.next
          opening = code.previous
@@ -41,6 +48,9 @@ module Banzai
            code[STYLE_ATTRIBUTE] = 'inline'
            closing.content = closing.content[1..]
            opening.content = opening.content[0..-2]
+
+            nodes_count += 1
+            break if nodes_count >= RENDER_NODES_LIMIT
          end
        end
  

--- a/spec/lib/banzai/filter/math_filter_spec.rb
+++ b/spec/lib/banzai/filter/math_filter_spec.rb
@@ -126,4 +126,12 @@ RSpec.describe Banzai::Filter::MathFilter do
    expect(before.to_s).to eq '$'
    expect(after.to_s).to eq '$'
  end
+
+  it 'limits how many elements can be marked as math' do
+    stub_const('Banzai::Filter::MathFilter::RENDER_NODES_LIMIT', 2)
+
+    doc = filter('$<code>2+2</code>$ + $<code>3+3</code>$ + $<code>4+4</code>$')
+
+    expect(doc.search('.js-render-math').count).to eq(2)
+  end
 end