From 219d24fe5298f6ca5a16d4392360fe1f691aee97 Mon Sep 17 00:00:00 2001
From: Heinrich Lee Yu <hleeyu@gmail.com>
Date: Wed, 9 Jan 2019 16:55:29 +0800
Subject: [PATCH] Fix slow project reference pattern regex

---
 app/models/project.rb                                   | 1 +
 changelogs/unreleased/security-fix-regex-dos.yml        | 5 +++++
 lib/gitlab/path_regex.rb                                | 3 ++-
 spec/lib/banzai/filter/project_reference_filter_spec.rb | 6 ++++++
 4 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/security-fix-regex-dos.yml

diff --git a/app/models/project.rb b/app/models/project.rb
index da77479fe1f..4057b564738 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -530,6 +530,7 @@ class Project < ActiveRecord::Base
 
     def reference_pattern
       %r{
+        (?<!#{Gitlab::PathRegex::PATH_START_CHAR})
         ((?<namespace>#{Gitlab::PathRegex::FULL_NAMESPACE_FORMAT_REGEX})\/)?
         (?<project>#{Gitlab::PathRegex::PROJECT_PATH_FORMAT_REGEX})
       }x
diff --git a/changelogs/unreleased/security-fix-regex-dos.yml b/changelogs/unreleased/security-fix-regex-dos.yml
new file mode 100644
index 00000000000..b08566d2f15
--- /dev/null
+++ b/changelogs/unreleased/security-fix-regex-dos.yml
@@ -0,0 +1,5 @@
+---
+title: Fix slow regex in project reference pattern
+merge_request:
+author:
+type: security
diff --git a/lib/gitlab/path_regex.rb b/lib/gitlab/path_regex.rb
index fa68dead80b..3c888be0710 100644
--- a/lib/gitlab/path_regex.rb
+++ b/lib/gitlab/path_regex.rb
@@ -125,7 +125,8 @@ module Gitlab
     # allow non-regex validations, etc), `NAMESPACE_FORMAT_REGEX_JS` serves as a Javascript-compatible version of
     # `NAMESPACE_FORMAT_REGEX`, with the negative lookbehind assertion removed. This means that the client-side validation
     # will pass for usernames ending in `.atom` and `.git`, but will be caught by the server-side validation.
-    PATH_REGEX_STR = '[a-zA-Z0-9_\.][a-zA-Z0-9_\-\.]*'.freeze
+    PATH_START_CHAR = '[a-zA-Z0-9_\.]'.freeze
+    PATH_REGEX_STR = PATH_START_CHAR + '[a-zA-Z0-9_\-\.]*'.freeze
     NAMESPACE_FORMAT_REGEX_JS = PATH_REGEX_STR + '[a-zA-Z0-9_\-]|[a-zA-Z0-9_]'.freeze
 
     NO_SUFFIX_REGEX = /(?<!\.git|\.atom)/.freeze
diff --git a/spec/lib/banzai/filter/project_reference_filter_spec.rb b/spec/lib/banzai/filter/project_reference_filter_spec.rb
index c68d49f9366..69f9c1ae829 100644
--- a/spec/lib/banzai/filter/project_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/project_reference_filter_spec.rb
@@ -26,6 +26,12 @@ describe Banzai::Filter::ProjectReferenceFilter do
     expect(reference_filter(act).to_html).to eq(CGI.escapeHTML(exp))
   end
 
+  it 'fails fast for long invalid string' do
+    expect do
+      Timeout.timeout(5.seconds) { reference_filter("A" * 50000).to_html }
+    end.not_to raise_error
+  end
+
   it 'allows references with text after the > character' do
     doc = reference_filter("Hey #{reference}foo")
     expect(doc.css('a').first.attr('href')).to eq urls.project_url(subject)