diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-07-31 17:34:04 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-07-31 17:34:24 +0300 |
commit | 3c93d74713f5a845429b4c19b046f57cc8ea325c (patch) | |
tree | 82a692612482b6a1369986e390c7d78958ddf9f0 /lib | |
parent | f5fe9b63037d428aecb04c375579ef022ba98e1d (diff) |
Add latest changes from gitlab-org/security/gitlab@16-2-stable-ee
Diffstat (limited to 'lib')
-rw-r--r-- | lib/banzai/filter/autolink_filter.rb | 15 | ||||
-rw-r--r-- | lib/gitlab/harbor/query.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/path_regex.rb | 2 |
3 files changed, 14 insertions, 5 deletions
diff --git a/lib/banzai/filter/autolink_filter.rb b/lib/banzai/filter/autolink_filter.rb index 336d60055e2..bbddaa37380 100644 --- a/lib/banzai/filter/autolink_filter.rb +++ b/lib/banzai/filter/autolink_filter.rb @@ -34,8 +34,13 @@ module Banzai # https://github.com/vmg/rinku/blob/v2.0.1/ext/rinku/autolink.c#L65 # # Rubular: http://rubular.com/r/nrL3r9yUiq + # Note that it's not possible to use Gitlab::UntrustedRegexp for LINK_PATTERN, + # as `(?<!` is unsupported in `re2`, see https://github.com/google/re2/wiki/Syntax LINK_PATTERN = %r{([a-z][a-z0-9\+\.-]+://[^\s>]+)(?<!\?|!|\.|,|:)}.freeze + ENTITY_UNTRUSTED = '((?:&[\w#]+;)+)\z' + ENTITY_UNTRUSTED_REGEX = Gitlab::UntrustedRegexp.new(ENTITY_UNTRUSTED, multiline: false) + # Text matching LINK_PATTERN inside these elements will not be linked IGNORE_PARENTS = %w(a code kbd pre script style).to_set @@ -85,10 +90,14 @@ module Banzai # Remove any trailing HTML entities and store them for appending # outside the link element. The entity must be marked HTML safe in # order to be output literally rather than escaped. - match.gsub!(/((?:&[\w#]+;)+)\z/, '') - dropped = (Regexp.last_match(1) || '').html_safe + dropped = '' + match = ENTITY_UNTRUSTED_REGEX.replace_gsub(match) do |entities| + dropped = entities[1].html_safe + + '' + end - # To match the behaviour of Rinku, if the matched link ends with a + # To match the behavior of Rinku, if the matched link ends with a # closing part of a matched pair of punctuation, we remove that trailing # character unless there are an equal number of closing and opening # characters in the link. diff --git a/lib/gitlab/harbor/query.rb b/lib/gitlab/harbor/query.rb index fcd984b01ce..fc0ac539e07 100644 --- a/lib/gitlab/harbor/query.rb +++ b/lib/gitlab/harbor/query.rb @@ -25,7 +25,7 @@ module Gitlab message: 'params invalid' }, allow_blank: true validates :search, format: { - with: /\A([a-z\_]*=[a-zA-Z0-9\- :]*,*)*\z/, + with: /\A(name=[a-zA-Z0-9\-:]+(?:,name=[a-zA-Z0-9\-:]+)*)\z/, message: 'params invalid' }, allow_blank: true diff --git a/lib/gitlab/path_regex.rb b/lib/gitlab/path_regex.rb index e112423f167..8afcf682d5d 100644 --- a/lib/gitlab/path_regex.rb +++ b/lib/gitlab/path_regex.rb @@ -131,7 +131,7 @@ module Gitlab # `NAMESPACE_FORMAT_REGEX`, with the negative lookbehind assertion removed. This means that the client-side validation # will pass for usernames ending in `.atom` and `.git`, but will be caught by the server-side validation. PATH_START_CHAR = '[a-zA-Z0-9_\.]' - PATH_REGEX_STR = PATH_START_CHAR + '[a-zA-Z0-9_\-\.]*' + PATH_REGEX_STR = PATH_START_CHAR + '[a-zA-Z0-9_\-\.]' + "{0,#{Namespace::URL_MAX_LENGTH - 1}}" NAMESPACE_FORMAT_REGEX_JS = PATH_REGEX_STR + '[a-zA-Z0-9_\-]|[a-zA-Z0-9_]' NO_SUFFIX_REGEX = /(?<!\.git|\.atom)/.freeze |