From b56d907a1d9065c3df354007fa00daf30626a478 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Sep 2021 12:52:24 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

---
 lib/api/invitations.rb                    |  2 ++
 lib/banzai/filter/spaced_link_filter.rb   | 21 ++++++++++++---------
 lib/gitlab/fogbugz_import.rb              | 11 +++++++++++
 lib/gitlab/fogbugz_import/client.rb       |  2 --
 lib/gitlab/fogbugz_import/http_adapter.rb | 21 +++++++++++++++++++++
 lib/gitlab/string_regex_marker.rb         | 10 ++++++----
 6 files changed, 52 insertions(+), 15 deletions(-)
 create mode 100644 lib/gitlab/fogbugz_import.rb
 create mode 100644 lib/gitlab/fogbugz_import/http_adapter.rb

(limited to 'lib')

diff --git a/lib/api/invitations.rb b/lib/api/invitations.rb
index 1f437ad5bd3..5cade301d81 100644
--- a/lib/api/invitations.rb
+++ b/lib/api/invitations.rb
@@ -46,6 +46,8 @@ module API
           source = find_source(source_type, params[:id])
           query = params[:query]
 
+          authorize_admin_source!(source_type, source)
+
           invitations = paginate(retrieve_member_invitations(source, query))
 
           present_member_invitations invitations
diff --git a/lib/banzai/filter/spaced_link_filter.rb b/lib/banzai/filter/spaced_link_filter.rb
index ca26e6d1581..f8d03fd6e50 100644
--- a/lib/banzai/filter/spaced_link_filter.rb
+++ b/lib/banzai/filter/spaced_link_filter.rb
@@ -26,14 +26,17 @@ module Banzai
       # Pattern to match a standard markdown link
       #
       # Rubular: http://rubular.com/r/2EXEQ49rg5
-      LINK_OR_IMAGE_PATTERN = %r{
-        (?<preview_operator>!)?
-        \[(?<text>.+?)\]
-        \(
-          (?<new_link>.+?)
-          (?<title>\ ".+?")?
-        \)
-      }x.freeze
+      #
+      # This pattern is vulnerable to malicious inputs, so use Gitlab::UntrustedRegexp
+      # to place bounds on execution time
+      LINK_OR_IMAGE_PATTERN = Gitlab::UntrustedRegexp.new(
+        '(?P<preview_operator>!)?' \
+        '\[(?P<text>.+?)\]' \
+        '\(' \
+          '(?P<new_link>.+?)' \
+          '(?P<title>\ ".+?")?' \
+        '\)'
+      )
 
       # Text matching LINK_OR_IMAGE_PATTERN inside these elements will not be linked
       IGNORE_PARENTS = %w(a code kbd pre script style).to_set
@@ -48,7 +51,7 @@ module Banzai
         doc.xpath(TEXT_QUERY).each do |node|
           content = node.to_html
 
-          next unless content.match(LINK_OR_IMAGE_PATTERN)
+          next unless LINK_OR_IMAGE_PATTERN.match(content)
 
           html = spaced_link_filter(content)
 
diff --git a/lib/gitlab/fogbugz_import.rb b/lib/gitlab/fogbugz_import.rb
new file mode 100644
index 00000000000..a4a52edd83e
--- /dev/null
+++ b/lib/gitlab/fogbugz_import.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'fogbugz'
+
+module Gitlab
+  module FogbugzImport
+    # Custom adapter to validate the URL before each request
+    # This way we avoid DNS rebinds or other unsafe requests
+    ::Fogbugz.adapter[:http] = HttpAdapter
+  end
+end
diff --git a/lib/gitlab/fogbugz_import/client.rb b/lib/gitlab/fogbugz_import/client.rb
index dd747a79673..024c1ae0439 100644
--- a/lib/gitlab/fogbugz_import/client.rb
+++ b/lib/gitlab/fogbugz_import/client.rb
@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'fogbugz'
-
 module Gitlab
   module FogbugzImport
     class Client
diff --git a/lib/gitlab/fogbugz_import/http_adapter.rb b/lib/gitlab/fogbugz_import/http_adapter.rb
new file mode 100644
index 00000000000..bfae7a10f5b
--- /dev/null
+++ b/lib/gitlab/fogbugz_import/http_adapter.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module FogbugzImport
+    class HttpAdapter
+      def initialize(options = {})
+        @root_url = options[:uri]
+      end
+
+      def request(action, options = {})
+        uri = Gitlab::Utils.append_path(@root_url, 'api.asp')
+
+        params = { 'cmd' => action }.merge(options.fetch(:params, {}))
+
+        response = Gitlab::HTTP.post(uri, body: params)
+
+        response.body
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/string_regex_marker.rb b/lib/gitlab/string_regex_marker.rb
index f1982ff914c..8e0167a433e 100644
--- a/lib/gitlab/string_regex_marker.rb
+++ b/lib/gitlab/string_regex_marker.rb
@@ -2,18 +2,20 @@
 
 module Gitlab
   class StringRegexMarker < StringRangeMarker
-    # rubocop: disable CodeReuse/ActiveRecord
     def mark(regex, group: 0, &block)
       ranges = []
+      offset = 0
 
-      raw_line.scan(regex) do
-        begin_index, end_index = Regexp.last_match.offset(group)
+      while match = regex.match(raw_line[offset..])
+        begin_index = match.begin(group) + offset
+        end_index = match.end(group) + offset
 
         ranges << (begin_index..(end_index - 1))
+
+        offset = end_index
       end
 
       super(ranges, &block)
     end
-    # rubocop: enable CodeReuse/ActiveRecord
   end
 end
-- 
cgit v1.2.3