From 717824144f8181bef524592eab882dd7525a60ef Mon Sep 17 00:00:00 2001
From: Heinrich Lee Yu <heinrich@gitlab.com>
Date: Wed, 12 Jun 2019 22:48:38 +0800
Subject: Fix color validation regex

Also prevents ReDoS vulnerability
---
 spec/validators/color_validator_spec.rb | 43 +++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 spec/validators/color_validator_spec.rb

(limited to 'spec/validators')

diff --git a/spec/validators/color_validator_spec.rb b/spec/validators/color_validator_spec.rb
new file mode 100644
index 00000000000..e5a38ac9372
--- /dev/null
+++ b/spec/validators/color_validator_spec.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ColorValidator do
+  using RSpec::Parameterized::TableSyntax
+
+  subject do
+    Class.new do
+      include ActiveModel::Model
+      include ActiveModel::Validations
+      attr_accessor :color
+      validates :color, color: true
+    end.new
+  end
+
+  where(:color, :is_valid) do
+    '#000abc'    | true
+    '#aaa'       | true
+    '#BBB'       | true
+    '#cCc'       | true
+    '#ffff'      | false
+    '#000111222' | false
+    'invalid'    | false
+    '000'        | false
+  end
+
+  with_them do
+    it 'only accepts valid colors' do
+      subject.color = color
+
+      expect(subject.valid?).to eq(is_valid)
+    end
+  end
+
+  it 'fails fast for long invalid string' do
+    subject.color = '#' + ('0' * 50_000) + 'xxx'
+
+    expect do
+      Timeout.timeout(5.seconds) { subject.valid? }
+    end.not_to raise_error
+  end
+end
-- 
cgit v1.2.3