Skip to content
Snippets Groups Projects

Assert user domain restrictions not vulnerable

Merged Thong Kuah requested to merge assert_domain_restriction_not_vulnerable into master
All threads resolved!

What does this MR do?

Relates to #206795 (closed)

Add some test cases to assert that bad regexes do not cause the process to hang

To test:

  1. Apply the following diff:
$ git diff -U
diff --git a/app/models/user.rb b/app/models/user.rb
index ec9bc7ae01e..7a024bdf7d7 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1742,7 +1742,7 @@ def domain_matches?(email_domains, email)
     signup_domain = Mail::Address.new(email).domain
     email_domains.any? do |domain|
       escaped = Regexp.escape(domain).gsub('\*', '.*?')
-      regexp = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
+      regexp = Regexp.new "^#{domain}$", Regexp::IGNORECASE
       signup_domain =~ regexp
     end
   end
  1. Run bundle exec rspec spec/models/user_spec.rb -e 'bad regex'
Edited by 🤖 GitLab Bot 🤖

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply
Loading