ReDoS in GitRefsFinder when using wildcards in branch search

Merge branch 'security-unauthenticated-redos-in-gitrefsfinder-when-using-wildcards-in-branch-search' into 'master' See merge request gitlab-org/security/gitlab!3970 Changelog: security

ReDoS in GitRefsFinder when using wildcards in branch search
790f4131 · Javiera Tapia · GitLab Release Tools Bot · 9d6ec068 · 790f4131 · 790f4131
Commit 790f4131 authored 9 months ago by Javiera Tapia Committed by GitLab Release Tools Bot 9 months ago
--- a/app/finders/git_refs_finder.rb
+++ b/app/finders/git_refs_finder.rb
@@ -34,9 +34,11 @@ def sort
  end

  def filter_refs(refs, term)
-    regex_string = Regexp.quote(term.downcase)
+    regex_string = RE2::Regexp.escape(term.downcase)
    regex_string = unescape_regex_operators(regex_string) if regex_search?
-    refs.select { |ref| /#{regex_string}/ === ref.name.downcase }
+    regex_string = Gitlab::UntrustedRegexp.new(regex_string)
+
+    refs.select { |ref| regex_string.match?(ref.name.downcase) }
  end

  def set_exact_match_as_first_result(matches, term)

--- a/spec/finders/branches_finder_spec.rb
+++ b/spec/finders/branches_finder_spec.rb
@@ -101,6 +101,8 @@
        let(:params) { { search: '^feature_' } }

        it 'filters branches' do
+          expect(::Gitlab::UntrustedRegexp).to receive(:new).with('^feature_').once.and_call_original
+
          result = subject

          expect(result.first.name).to eq('feature_conflict')
@@ -112,6 +114,8 @@
        let(:params) { { search: 'feature$' } }

        it 'filters branches' do
+          expect(::Gitlab::UntrustedRegexp).to receive(:new).with('feature$').once.and_call_original
+
          result = subject

          expect(result.first.name).to eq('feature')
@@ -123,6 +127,9 @@
        let(:params) { { search: 'f*e' } }

        it 'filters branches' do
+          escaped_regex = 'f.*?e'
+          expect(::Gitlab::UntrustedRegexp).to receive(:new).with(escaped_regex).once.and_call_original
+
          result = subject

          expect(result.first.name).to eq('2-mb-file')
@@ -134,6 +141,9 @@
        let(:params) { { search: '^f*e$' } }

        it 'filters branches' do
+          escaped_regex = '^f.*?e$'
+          expect(::Gitlab::UntrustedRegexp).to receive(:new).with(escaped_regex).once.and_call_original
+
          result = subject

          expect(result.first.name).to eq('feature')
@@ -173,6 +183,9 @@
        let(:params) { { search: 'f*a*e' } }

        it 'filters branches' do
+          escaped_regex = 'f.*?a.*?e'
+          expect(::Gitlab::UntrustedRegexp).to receive(:new).with(escaped_regex).once.and_call_original
+
          result = subject

          expect(result.first.name).to eq('after-create-delete-modify-move')
@@ -214,6 +227,9 @@
        let(:params) { { search: 'zz*asdf' } }

        it 'filters branches' do
+          escaped_regex = 'zz.*?asdf'
+          expect(::Gitlab::UntrustedRegexp).to receive(:new).with(escaped_regex).once.and_call_original
+
          result = subject

          expect(result.count).to eq(0)

--- a/spec/finders/tags_finder_spec.rb
+++ b/spec/finders/tags_finder_spec.rb
@@ -96,6 +96,15 @@ def load_tags(params, gitaly_pagination: false)
        expect(result.count).to eq(0)
      end

+      it 'uses ::Gitlab::UntrustedRegexp for regex filter' do
+        escaped_regex = '^v1\\..*?.*?.*?.*?.*?.*?.*?.*?.*?.*?\\.0$'
+
+        expect(::Gitlab::UntrustedRegexp).to receive(:new).with(escaped_regex).once.and_call_original
+        result = load_tags({ search: '^v1.**********.0$' })
+
+        expect(result.count).to eq(2)
+      end
+
      context 'when search is not a string' do
        it 'returns no matches' do
          result = load_tags({ search: { 'a' => 'b' } })