Skip to content

Assert user domain restrictions not vulnerable

Thong Kuah requested to merge assert_domain_restriction_not_vulnerable into master

What does this MR do?

Relates to #206795 (closed)

Add some test cases to assert that bad regexes do not cause the process to hang

To test:

  1. Apply the following diff:
$ git diff -U
diff --git a/app/models/user.rb b/app/models/user.rb
index ec9bc7ae01e..7a024bdf7d7 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1742,7 +1742,7 @@ def domain_matches?(email_domains, email)
     signup_domain = Mail::Address.new(email).domain
     email_domains.any? do |domain|
       escaped = Regexp.escape(domain).gsub('\*', '.*?')
-      regexp = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
+      regexp = Regexp.new "^#{domain}$", Regexp::IGNORECASE
       signup_domain =~ regexp
     end
   end
  1. Run bundle exec rspec spec/models/user_spec.rb -e 'bad regex'
Edited by 🤖 GitLab Bot 🤖

Merge request reports