Skip to content
Snippets Groups Projects

Set Global timeout for Regexp to prevent ReDOS

Merged Aboobacker MK requested to merge redos_protection into master
1 unresolved thread

What does this MR do and why?

Set Global timeout for Regexp to prevent ReDOS

Ruby version 3.2 and above provides global configuration to prevent ReDoS by setting timeout. While we should still avoid writing vulnerable regular expressions, this will significantly reduce the attack surface.

Changelog: security

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Aboobacker MK requested review from @dcouture and @stanhu

    requested review from @dcouture and @stanhu

  • 2 Warnings
    :warning: 1589de4d: The commit subject must contain at least 3 words. For more information, take a look at our Commit message guidelines.
    :warning: b546ce72: The commit subject must contain at least 3 words. For more information, take a look at our Commit message guidelines.

    Reviewer roulette

    Category Reviewer Maintainer
    backend @tyleramos profile link current availability (UTC-4, 9.5 hours behind author) @schin1 profile link current availability (UTC+8, 2.5 hours ahead of author)

    Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.

    If needed, you can retry the :repeat: danger-review job that generated this comment.

    Generated by :no_entry_sign: Danger

  • Aboobacker MK changed milestone to %16.10

    changed milestone to %16.10

  • E2E Test Result Summary

    allure-report-publisher generated test report!

    e2e-package-and-test: :x: test report for 1bb82e7b

    expand test summary
    +---------------------------------------------------------------------+
    |                           suites summary                            |
    +----------------+--------+--------+---------+-------+-------+--------+
    |                | passed | failed | skipped | flaky | total | result |
    +----------------+--------+--------+---------+-------+-------+--------+
    | Plan           | 243    | 3      | 13      | 0     | 259   | ❌     |
    | Govern         | 266    | 6      | 19      | 0     | 291   | ❌     |
    | Package        | 226    | 0      | 17      | 0     | 243   | ✅     |
    | Create         | 558    | 10     | 73      | 0     | 641   | ❌     |
    | Systems        | 8      | 0      | 0       | 0     | 8     | ✅     |
    | Verify         | 148    | 2      | 27      | 0     | 177   | ❌     |
    | Data Stores    | 117    | 2      | 28      | 0     | 147   | ❌     |
    | Fulfillment    | 8      | 0      | 75      | 0     | 83    | ✅     |
    | Manage         | 39     | 0      | 11      | 0     | 50    | ✅     |
    | Configure      | 1      | 0      | 9       | 0     | 10    | ✅     |
    | Analytics      | 7      | 0      | 0       | 0     | 7     | ✅     |
    | GitLab Metrics | 2      | 0      | 1       | 0     | 3     | ✅     |
    | Monitor        | 36     | 0      | 13      | 0     | 49    | ✅     |
    | Release        | 15     | 0      | 3       | 0     | 18    | ✅     |
    | Growth         | 0      | 0      | 6       | 0     | 6     | ➖     |
    | Secure         | 6      | 0      | 3       | 0     | 9     | ✅     |
    | Ai-powered     | 0      | 0      | 3       | 0     | 3     | ➖     |
    | ModelOps       | 0      | 0      | 3       | 0     | 3     | ➖     |
    +----------------+--------+--------+---------+-------+-------+--------+
    | Total          | 1680   | 23     | 304     | 0     | 2007  | ❌     |
    +----------------+--------+--------+---------+-------+-------+--------+

    e2e-test-on-gdk: :white_check_mark: test report for 1bb82e7b

    expand test summary
    +------------------------------------------------------------------+
    |                          suites summary                          |
    +-------------+--------+--------+---------+-------+-------+--------+
    |             | passed | failed | skipped | flaky | total | result |
    +-------------+--------+--------+---------+-------+-------+--------+
    | Create      | 60     | 0      | 9       | 0     | 69    | ✅     |
    | Verify      | 36     | 0      | 0       | 0     | 36    | ✅     |
    | Plan        | 53     | 0      | 0       | 0     | 53    | ✅     |
    | Data Stores | 31     | 0      | 0       | 0     | 31    | ✅     |
    | Package     | 24     | 0      | 2       | 0     | 26    | ✅     |
    | Govern      | 66     | 0      | 0       | 0     | 66    | ✅     |
    | Analytics   | 2      | 0      | 0       | 0     | 2     | ✅     |
    | Manage      | 0      | 0      | 1       | 0     | 1     | ➖     |
    | Monitor     | 7      | 0      | 0       | 0     | 7     | ✅     |
    | Release     | 5      | 0      | 0       | 0     | 5     | ✅     |
    +-------------+--------+--------+---------+-------+-------+--------+
    | Total       | 284    | 0      | 12      | 0     | 296   | ✅     |
    +-------------+--------+--------+---------+-------+-------+--------+

    e2e-review-qa: :white_check_mark: test report for 1bb82e7b

    expand test summary
    +------------------------------------------------------------------+
    |                          suites summary                          |
    +-------------+--------+--------+---------+-------+-------+--------+
    |             | passed | failed | skipped | flaky | total | result |
    +-------------+--------+--------+---------+-------+-------+--------+
    | Plan        | 3      | 0      | 1       | 0     | 4     | ✅     |
    | Govern      | 3      | 0      | 0       | 0     | 3     | ✅     |
    | Create      | 8      | 0      | 3       | 0     | 11    | ✅     |
    | Monitor     | 4      | 0      | 0       | 0     | 4     | ✅     |
    | Package     | 0      | 0      | 1       | 0     | 1     | ➖     |
    | Data Stores | 2      | 0      | 0       | 0     | 2     | ✅     |
    +-------------+--------+--------+---------+-------+-------+--------+
    | Total       | 20     | 0      | 5       | 0     | 25    | ✅     |
    +-------------+--------+--------+---------+-------+-------+--------+
  • Dominic Couture approved this merge request

    approved this merge request

  • Finally we're able to use this :tada: Thanks for the MR @tachyons-gitlab

    If anyone else reading this isn't familiar with our 3.2 timeline, in &9684 (closed) we mention planning to use 3.2 in production for %17.2

    FYI @gitlab-com/gl-security/appsec 2 things:

    1. Regex DoS is about to be much less of a problem
    2. Until we use 3.2 in production, you might need to comment out this line when trying to reproduce regex DoS issues locally
  • A deleted user added backend label

    added backend label

  • Stan Hu
  • Stan Hu removed review request for @stanhu

    removed review request for @stanhu

  • mentioned in epic &9684 (closed)

  • mentioned in issue #455013 (closed)

  • Rohit Shambhuni mentioned in merge request !147971 (merged)

    mentioned in merge request !147971 (merged)

  • mentioned in issue #460517 (closed)

  • Allison Browne mentioned in merge request !154561 (merged)

    mentioned in merge request !154561 (merged)

  • Aboobacker MK added 1 commit

    added 1 commit

    Compare with previous version

  • Aboobacker MK changed milestone to %17.3

    changed milestone to %17.3

  • Aboobacker MK added 24080 commits

    added 24080 commits

    Compare with previous version

  • Aboobacker MK added 1 commit

    added 1 commit

    • d7afbc05 - Log error instead to reduce the impact

    Compare with previous version

  • Aboobacker MK requested review from @stanhu

    requested review from @stanhu

  • Stan Hu
  • Stan Hu removed review request for @stanhu

    removed review request for @stanhu

  • Aboobacker MK added 1 commit

    added 1 commit

    • 6f87132c - Make timeout more conservative

    Compare with previous version

  • Aboobacker MK added 1 commit

    added 1 commit

    Compare with previous version

  • Aboobacker MK requested review from @stanhu

    requested review from @stanhu

  • Aboobacker MK added 1 commit

    added 1 commit

    Compare with previous version

  • Security policy violations have been resolved.

    Edited by GitLab Security Bot
  • Furkan Ayhan mentioned in issue #198688

    mentioned in issue #198688

  • Dominic Couture added 13542 commits

    added 13542 commits

    Compare with previous version

  • Dominic Couture added 888 commits

    added 888 commits

    Compare with previous version

  • Aboobacker MK changed milestone to %17.5

    changed milestone to %17.5

  • mentioned in issue #497573 (closed)

  • Stan Hu approved this merge request

    approved this merge request

  • Stan Hu enabled automatic add to merge train when checks pass

    enabled automatic add to merge train when checks pass

  • Stan Hu resolved all threads

    resolved all threads

  • merged

  • Stan Hu mentioned in commit c39fac71

    mentioned in commit c39fac71

  • added workflowstaging label and removed workflowcanary label

  • mentioned in issue #499848

  • mentioned in issue #499861 (closed)

  • mentioned in merge request !169165 (merged)

  • Dominic Couture mentioned in merge request !174107 (merged)

    mentioned in merge request !174107 (merged)

  • Dominic Couture mentioned in merge request !174854 (merged)

    mentioned in merge request !174854 (merged)

  • Dominic Couture mentioned in merge request !177104 (merged)

    mentioned in merge request !177104 (merged)

  • Aboobacker MK mentioned in merge request !177154 (merged)

    mentioned in merge request !177154 (merged)

  • Please register or sign in to reply
    Loading