Modify release link format check to avoid regex if string is too long

Merge branch 'security-273771-confidential-issue-14-9' into '14-9-stable-ee' See merge request gitlab-org/security/gitlab!2307 Changelog: security

Modify release link format check to avoid regex if string is too long
f516d883 · Allen Cook · GitLab Release Tools Bot · 1fdefb34 · f516d883 · f516d883
Commit f516d883 authored 2 years ago by Allen Cook Committed by GitLab Release Tools Bot 2 years ago
--- a/app/models/releases/link.rb
+++ b/app/models/releases/link.rb
@@ -9,10 +9,20 @@ module Releases
    # See https://gitlab.com/gitlab-org/gitlab/-/issues/218753
    # Regex modified to prevent catastrophic backtracking
    FILEPATH_REGEX = %r{\A\/[^\/](?!.*\/\/.*)[\-\.\w\/]+[\da-zA-Z]+\z}.freeze
+    FILEPATH_MAX_LENGTH = 128
  
    validates :url, presence: true, addressable_url: { schemes: %w(http https ftp) }, uniqueness: { scope: :release }
    validates :name, presence: true, uniqueness: { scope: :release }
-    validates :filepath, uniqueness: { scope: :release }, format: { with: FILEPATH_REGEX }, allow_blank: true, length: { maximum: 128 }
+    validates :filepath, uniqueness: { scope: :release }, allow_blank: true
+    validate :filepath_format_valid?
+
+    # we use a custom validator here to prevent running the regex if the string is too long
+    # see https://gitlab.com/gitlab-org/gitlab/-/issues/273771
+    def filepath_format_valid?
+      return if filepath.nil? # valid use case
+      return errors.add(:filepath, "is too long (maximum is #{FILEPATH_MAX_LENGTH} characters)") if filepath.length > FILEPATH_MAX_LENGTH
+      return errors.add(:filepath, 'is in an invalid format') unless FILEPATH_REGEX.match? filepath
+    end
  
    scope :sorted, -> { order(created_at: :desc) }
  

--- a/spec/models/releases/link_spec.rb
+++ b/spec/models/releases/link_spec.rb
@@ -113,6 +113,17 @@ RSpec.describe Releases::Link do
    end
  end
  
+  describe 'when filepath is greater than max length' do
+    let!(:invalid_link) { build(:release_link, filepath: 'x' * (Releases::Link::FILEPATH_MAX_LENGTH + 1), release: release) }
+
+    it 'will not execute regex' do
+      invalid_link.filepath_format_valid?
+
+      expect(invalid_link.errors[:filepath].size).to eq(1)
+      expect(invalid_link.errors[:filepath].first).to start_with("is too long")
+    end
+  end
+
  describe 'FILEPATH_REGEX with table' do
    using RSpec::Parameterized::TableSyntax