Skip to content
Snippets Groups Projects
Verified Commit c39fac71 authored by Stan Hu's avatar Stan Hu Committed by GitLab
Browse files

Merge branch 'redos_protection' into 'master'

Set Global timeout for Regexp to prevent ReDOS

See merge request !145679



Merged-by: default avatarStan Hu <stanhu@gmail.com>
Approved-by: default avatarDominic Couture <dcouture@gitlab.com>
Approved-by: default avatarStan Hu <stanhu@gmail.com>
Co-authored-by: Aboobacker MK's avatarAboobacker MK <akarakath@gitlab.com>
parents 35fffea9 10fd9dfc
No related branches found
No related tags found
1 merge request!145679Set Global timeout for Regexp to prevent ReDOS
Pipeline #1497520241 passed with warnings
......@@ -121,6 +121,11 @@ def self.endpoint_id_for_action(action_name)
render plain: e.message, status: :service_unavailable
end
rescue_from Regexp::TimeoutError do |e|
log_exception(e)
head :service_unavailable
end
def redirect_back_or_default(default: root_path, options: {})
redirect_back(fallback_location: default, **options)
end
......
# frozen_string_literal: true
# Timeout if Regular expression takes more than fifty seconds to compute.
# This is a conservative value and is to be evaluated later.
# This value can be overridden using the REGEXP_TIMEOUT_SECONDS environment value
Regexp.timeout = ENV.fetch('REGEXP_TIMEOUT_SECONDS', 50).to_f if RUBY_VERSION > "3.2"
......@@ -1108,4 +1108,22 @@ def index
expect(response.headers['Retry-After']).to eq(50)
end
end
context 'When Regexp::TimeoutError is raised' do
before do
sign_in user
end
controller(described_class) do
def index
raise Regexp::TimeoutError
end
end
it 'returns a plaintext error response with 503 status' do
get :index
expect(response).to have_gitlab_http_status(:service_unavailable)
end
end
end
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment