Push rules make use of user-supplied regexps
Just as with coverage regexps in https://gitlab.com/gitlab-org/gitlab-ce/issues/24570 , it turns out we allow users to provide regular expressions for the EE push rules
feature:
We can fix it in a security release by wiring up Gitlab::UntrustedRegexp
as for coverage regexps. This will cause some existing regexps to become invalid.
Unlike coverage regexps, we explicitly document that these use Ruby regexes. Should we backport such a behaviour change, or just roll it into 10.0 ?