Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-29 01:02:13 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-29 01:02:23 +0300
commit: cda92b051261cb820ed3ea9683865aeb85890411 (patch)
tree: c1c49629eb0aebd9806775d56eb329797d6ecfc0 /app/uploaders
parent: cbc166ca72db07da07995c60bbbf4e83ba30699d (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb
index bf5be708060..7250ce5c0b0 100644
--- a/app/uploaders/file_uploader.rb
+++ b/app/uploaders/file_uploader.rb
@@ -14,7 +14,12 @@ class FileUploader < GitlabUploader
   include ObjectStorage::Concern
   prepend ObjectStorage::Extension::RecordsUploads
 
-  MARKDOWN_PATTERN = %r{\!?\[.*?\]\(/uploads/(?<secret>[0-9a-f]{32})/(?<file>.*?)\)}.freeze
+  # This pattern is vulnerable to malicious inputs, so use Gitlab::UntrustedRegexp
+  # to place bounds on execution time
+  MARKDOWN_PATTERN = Gitlab::UntrustedRegexp.new(
+    '!?\[.*?\]\(/uploads/(?P<secret>[0-9a-f]{32})/(?P<file>.*?)\)'
+  )
+
   DYNAMIC_PATH_PATTERN = %r{.*(?<secret>\b(\h{10}|\h{32}))\/(?<identifier>.*)}.freeze
   VALID_SECRET_PATTERN = %r{\A\h{10,32}\z}.freeze
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-29 01:02:13 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-29 01:02:23 +0300
commit	cda92b051261cb820ed3ea9683865aeb85890411 (patch)
tree	c1c49629eb0aebd9806775d56eb329797d6ecfc0 /app/uploaders
parent	cbc166ca72db07da07995c60bbbf4e83ba30699d (diff)