Prevent Billion Laughs attack

It keeps track of the memory being used when loading the YAML file as well as the depth of nesting. Track exception when YAML is too big
author: Fabio Pitino <fpitino@gitlab.com> 2019-07-02 09:23:06 +0300
committer: Marin Jankovski <marin@gitlab.com> 2019-07-02 09:23:06 +0300
commit: abceda6cc5fa796d9bd0d7311b386787e6919266 (patch)
tree: 3a6f0cc62d9e0c42267562547be45ea5ea2d858f /spec/lib/gitlab/utils
parent: 23dedd53a73a01429c0a5c99414548694f1fab0b (diff)
1 files changed, 43 insertions, 0 deletions
diff --git a/spec/lib/gitlab/utils/deep_size_spec.rb b/spec/lib/gitlab/utils/deep_size_spec.rb
new file mode 100644
index 00000000000..1e619a15980
--- /dev/null
+++ b/spec/lib/gitlab/utils/deep_size_spec.rb
@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+describe Gitlab::Utils::DeepSize do
+  let(:data) do
+    {
+      a: [1, 2, 3],
+      b: {
+        c: [4, 5],
+        d: [
+          { e: [[6], [7]] }
+        ]
+      }
+    }
+  end
+
+  let(:max_size) { 1.kilobyte }
+  let(:max_depth) { 10 }
+  let(:deep_size) { described_class.new(data, max_size: max_size, max_depth: max_depth) }
+
+  describe '#evaluate' do
+    context 'when data within size and depth limits' do
+      it 'returns true' do
+        expect(deep_size).to be_valid
+      end
+    end
+
+    context 'when data not within size limit' do
+      let(:max_size) { 200.bytes }
+
+      it 'returns false' do
+        expect(deep_size).not_to be_valid
+      end
+    end
+
+    context 'when data not within depth limit' do
+      let(:max_depth) { 2 }
+
+      it 'returns false' do
+        expect(deep_size).not_to be_valid
+      end
+    end
+  end
+end
author	Fabio Pitino <fpitino@gitlab.com>	2019-07-02 09:23:06 +0300
committer	Marin Jankovski <marin@gitlab.com>	2019-07-02 09:23:06 +0300
commit	abceda6cc5fa796d9bd0d7311b386787e6919266 (patch)
tree	3a6f0cc62d9e0c42267562547be45ea5ea2d858f /spec/lib/gitlab/utils
parent	23dedd53a73a01429c0a5c99414548694f1fab0b (diff)