Assert user domain restrictions not vulnerable
What does this MR do?
Relates to #206795 (closed)
Add some test cases to assert that bad regexes do not cause the process to hang
To test:
- Apply the following diff:
$ git diff -U
diff --git a/app/models/user.rb b/app/models/user.rb
index ec9bc7ae01e..7a024bdf7d7 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1742,7 +1742,7 @@ def domain_matches?(email_domains, email)
signup_domain = Mail::Address.new(email).domain
email_domains.any? do |domain|
escaped = Regexp.escape(domain).gsub('\*', '.*?')
- regexp = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
+ regexp = Regexp.new "^#{domain}$", Regexp::IGNORECASE
signup_domain =~ regexp
end
end
- Run
bundle exec rspec spec/models/user_spec.rb -e 'bad regex'
Merge request reports
Activity
changed milestone to %12.8
Reviewer roulette
Changes that require review have been detected! A merge request is normally reviewed by both a reviewer and a maintainer in its primary category (e.g. frontend or backend), and by a maintainer in all other categories.
To spread load more evenly across eligible reviewers, Danger has randomly picked a candidate for each review slot. Feel free to override this selection if you think someone else would be better-suited, or the chosen person is unavailable.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines.
Once you've decided who will review this merge request, mention them as you normally would! Danger does not (yet?) automatically notify them for you.
Category Reviewer Maintainer backend Mark Chao ( @lulalala
)Douglas Barbosa Alexandre ( @dbalexandre
)Generated by
DangerEdited by 🤖 GitLab Bot 🤖@lulalala Can you please review ?
added devopsconfigure [DEPRECATED] label
added 1 commit
- c7581aa0 - Assert user domain restrictions not vulnerable
assigned to @dbalexandre and unassigned @lulalala
Thanks, @tkuah! LGTM
mentioned in commit aba49229
added workflowstaging label
added workflowcanary label and removed workflowstaging label
added workflowproduction label and removed workflowcanary label
added typemaintenance label
added groupenvironments label and removed groupconfigure [DEPRECATED] label