Add string sanitization and validation to config file lib names/versions
What does this MR do and why?
Background
The Repository X-Ray is a feature that scans a repository for dependency manager configuration files and parses a list of library names/versions from those files. Its core functionality involves the ConfigFiles::Base class, which contains the logic to parse and extract libraries from the file content.
This MR
As part of https://gitlab.com/gitlab-org/gitlab/-/issues/509031, we introduce additional sanitization and validation logic to the parsed library name and version strings, as proposed in https://gitlab.com/gitlab-org/gitlab/-/issues/505590#note_2251707440. This is to mitigate potential malicious strings.
Specifically, in this MR, we:
- Remove extraneous version qualifiers and the prefixed
vfrom thelib.versionvalue. - Apply validation to
lib.namewith the following rules:
- Only contain these characters (no spaces):
A-Z,a-z,0-9,/,-,_,. - Only start/end with
A-Z,a-z, or0-9. - Not exceed
50characters.
- Apply validation to
lib.versionwith the following rules:
- Only contain:
0-9,.,<,>,=,+,^,*,!,|,,. - Not exceed
20characters.
References
- Related issue: https://gitlab.com/gitlab-org/gitlab/-/issues/509031
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
We can validate that the x-ray parsing service still works as expected and also sanitizes the string values as necessary.
- Ensure you have GitLab Duo Code Suggestions enabled on your gdk.
- Create a new project. In the project's root, add the following file.
requirements.txt
lib_with_leading_and_trailing_spaces !=v0.3.0-prerelease
otherLib == 3.2.1+build-metadata
- In the rails console, observe that the expected X-ray report has been saved with the library strings sanitized.
project = Project.last # This should be the new project you created
project.xray_reports