Skip to content
Snippets Groups Projects
Commit d9f51d83 authored by Ravi Kumar's avatar Ravi Kumar Committed by Jenny Kim
Browse files

Fix the catastrophic backtracking in openapi regex

Merge branch 'security-1112-redos-openapi' into '17-1-stable-ee'

See merge request gitlab-org/security/gitlab!4135

Changelog: security
parent 8c41be0b
No related branches found
No related tags found
No related merge requests found
......@@ -6,6 +6,8 @@ module Gitlab
# Module that can be used to detect if a path points to a special file such as
# a README or a CONTRIBUTING file.
module FileDetector
PATTERNS_BASENAME = { openapi: [%r{\.(yaml|yml|json)\z}i, %r{openapi|swagger}i] }.freeze
PATTERNS = {
# Project files
readme: /\A(#{Regexp.union(*Gitlab::MarkupHelper::PLAIN_FILENAMES).source})(\.(txt|#{Regexp.union(*Gitlab::MarkupHelper::EXTENSIONS).source}))?\z/i,
......@@ -40,10 +42,7 @@ module FileDetector
podspec_json: %r{\A[^/]*\.podspec\.json\z},
podspec: %r{\A[^/]*\.podspec\z},
requirements_txt: %r{\A[^/]*requirements\.txt\z},
yarn_lock: 'yarn.lock',
# OpenAPI Specification files
openapi: %r{[^/]*(openapi|swagger)[^/]*\.(yaml|yml|json)\z}i
yarn_lock: 'yarn.lock'
}.freeze
# Returns an Array of file types based on the given paths.
......@@ -84,7 +83,10 @@ def self.type_of(path)
return type if did_match
end
basename = File.basename(path)
PATTERNS_BASENAME.each do |type, regex|
return type if regex.all? { |r| basename =~ r }
end
nil
end
end
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment