Use UntrustedRegexp for gollum pattern

Merge branch 'security-fix-gollum-regex' into 'master' See merge request gitlab-org/security/gitlab!4021 Changelog: security

Use UntrustedRegexp for gollum pattern
8e083639 · Brett Walker · GitLab Release Tools Bot · b00a8dd4 · 8e083639 · 8e083639
--- a/lib/banzai/filter/gollum_tags_filter.rb
+++ b/lib/banzai/filter/gollum_tags_filter.rb
@@ -51,7 +51,9 @@ class GollumTagsFilter < HTML::Pipeline::Filter
      # See https://github.com/gollum/gollum/wiki
      #
      # Rubular: http://rubular.com/r/7dQnE5CUCH
-      TAGS_PATTERN = /\[\[(.+?)\]\]/
+      TAGS_PATTERN_UNTRUSTED = '\[\[(.+?)\]\]'
+      TAGS_PATTERN_UNTRUSTED_REGEX =
+        Gitlab::UntrustedRegexp.new(TAGS_PATTERN_UNTRUSTED, multiline: false).freeze

      # Pattern to match allowed image extensions
      ALLOWED_IMAGE_EXTENSIONS = /.+(jpg|png|gif|svg|bmp)\z/i
@@ -62,10 +64,10 @@ class GollumTagsFilter < HTML::Pipeline::Filter
      def call
        doc.xpath('descendant-or-self::text()').each do |node|
          next if has_ancestor?(node, IGNORED_ANCESTOR_TAGS)
-          next unless node.content =~ TAGS_PATTERN
+          next unless TAGS_PATTERN_UNTRUSTED_REGEX.match?(node.content)

-          html = CGI.escapeHTML(node.content).gsub(TAGS_PATTERN) do
-            process_tag(CGI.unescapeHTML(Regexp.last_match(1))) || Regexp.last_match(0)
+          html = TAGS_PATTERN_UNTRUSTED_REGEX.replace_gsub(CGI.escapeHTML(node.content)) do |match|
+            process_tag(CGI.unescapeHTML(match[1]))&.to_s || match[0]
          end

          node.replace(html)

--- a/spec/lib/banzai/filter/gollum_tags_filter_spec.rb
+++ b/spec/lib/banzai/filter/gollum_tags_filter_spec.rb
@@ -167,4 +167,12 @@

    expect(doc.at_css('i a').to_html).to eq "<a href=\"#{wiki.wiki_base_path}/'%22&gt;&lt;svg&gt;&lt;i/class=gl-show-field-errors&gt;&lt;input/title=%22&lt;script&gt;alert(0)&lt;/script&gt;%22/&gt;&lt;/svg&gt;https://gitlab.com/gitlab-org/gitlab/-/issues/1\" class=\"gfm gfm-gollum-wiki-page\" data-canonical-src=\"'&quot;&gt;&lt;svg&gt;&lt;i/class=gl-show-field-errors&gt;&lt;input/title=&quot;&lt;script&gt;alert(0)&lt;/script&gt;&quot;/&gt;&lt;/svg&gt;https://gitlab.com/gitlab-org/gitlab/-/issues/1\" data-link=\"true\" data-gollum=\"true\" data-reference-type=\"wiki_page\" data-project=\"#{project.id}\">a</a>"
  end
+
+  it 'protects against malicious input' do
+    text = "]#{'[[a' * 200000}[]"
+
+    expect do
+      Timeout.timeout(3.seconds) { filter(text, wiki: wiki) }
+    end.not_to raise_error
+  end
 end