diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:48:15 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:48:15 +0300 |
| commit | ef77d7f75069ca5f71261d80bc9caea59168cba2 (patch) | |
| tree | b5d128c44de05edc90e0d3cb5fca398c55803628 /lib | |
| parent | b405157ce7809b3671155faa8f3c3395e3fc74ce (diff) | |
Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/regex.rb | 58 | ||||
| -rw-r--r-- | lib/gitlab/untrusted_regexp.rb | 11 |
2 files changed, 41 insertions, 28 deletions
diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb index 93d23add5eb..943218a9972 100644 --- a/lib/gitlab/regex.rb +++ b/lib/gitlab/regex.rb @@ -448,6 +448,17 @@ module Gitlab ) }mx.freeze + # Code blocks: + # ``` + # Anything, including `>>>` blocks which are ignored by this filter + # ``` + MARKDOWN_CODE_BLOCK_REGEX_UNTRUSTED = + '(?P<code>' \ + '^```\n' \ + '(?:\n|.)*?' \ + '\n```\ *$' \ + ')'.freeze + MARKDOWN_HTML_BLOCK_REGEX = %r{ (?<html> # HTML block: @@ -461,27 +472,19 @@ module Gitlab ) }mx.freeze - MARKDOWN_HTML_COMMENT_LINE_REGEX = %r{ - (?<html_comment_line> - # HTML comment line: - # <!-- some commented text --> - - ^<!--\ .*?\ -->\ *$ - ) - }mx.freeze - - MARKDOWN_HTML_COMMENT_BLOCK_REGEX = %r{ - (?<html_comment_block> - # HTML comment block: - # <!-- some commented text - # additional text - # --> + # HTML comment line: + # <!-- some commented text --> + MARKDOWN_HTML_COMMENT_LINE_REGEX_UNTRUSTED = + '(?P<html_comment_line>' \ + '^<!--\ .*?\ -->\ *$' \ + ')'.freeze - ^<!--.*\n - .+? - \n-->\ *$ - ) - }mx.freeze + MARKDOWN_HTML_COMMENT_BLOCK_REGEX_UNTRUSTED = + '(?P<html_comment_block>' \ + '^<!--.*?\n' \ + '(?:\n|.)*?' \ + '\n.*?-->\ *$' \ + ')'.freeze def markdown_code_or_html_blocks @markdown_code_or_html_blocks ||= %r{ @@ -491,14 +494,13 @@ module Gitlab }mx.freeze end - def markdown_code_or_html_comments - @markdown_code_or_html_comments ||= %r{ - #{MARKDOWN_CODE_BLOCK_REGEX} - | - #{MARKDOWN_HTML_COMMENT_LINE_REGEX} - | - #{MARKDOWN_HTML_COMMENT_BLOCK_REGEX} - }mx.freeze + def markdown_code_or_html_comments_untrusted + @markdown_code_or_html_comments_untrusted ||= + "#{MARKDOWN_CODE_BLOCK_REGEX_UNTRUSTED}" \ + "|" \ + "#{MARKDOWN_HTML_COMMENT_LINE_REGEX_UNTRUSTED}" \ + "|" \ + "#{MARKDOWN_HTML_COMMENT_BLOCK_REGEX_UNTRUSTED}" end # Based on Jira's project key format diff --git a/lib/gitlab/untrusted_regexp.rb b/lib/gitlab/untrusted_regexp.rb index 96e74f00c78..7c7bda3a8f9 100644 --- a/lib/gitlab/untrusted_regexp.rb +++ b/lib/gitlab/untrusted_regexp.rb @@ -47,6 +47,17 @@ module Gitlab RE2.Replace(text, regexp, rewrite) end + # #scan returns an array of the groups captured, rather than MatchData. + # Use this to give the capture group name and grab the proper value + def extract_named_group(name, match) + return unless match + + match_position = regexp.named_capturing_groups[name.to_s] + raise RegexpError, "Invalid named capture group: #{name}" unless match_position + + match[match_position - 1] + end + def ==(other) self.source == other.source end |