diff --git a/app/models/concerns/referable.rb b/app/models/concerns/referable.rb index ce064f675ae..dee940a3f88 100644 --- a/app/models/concerns/referable.rb +++ b/app/models/concerns/referable.rb @@ -49,6 +49,10 @@ module Referable raise NotImplementedError, "#{self} does not implement #{__method__}" end + def reference_valid?(reference) + true + end + def link_reference_pattern(route, pattern) %r{ (? diff --git a/app/models/issue.rb b/app/models/issue.rb index 1bdf9c011b2..3c5859194b4 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -83,6 +83,10 @@ class Issue < ActiveRecord::Base @link_reference_pattern ||= super("issues", /(?\d+)/) end + def self.reference_valid?(reference) + reference.to_i > 0 && reference.to_i <= Gitlab::Database::MAX_INT_VALUE + end + def self.sort(method, excluded_labels: []) case method.to_s when 'due_date_asc' then order_due_date_asc diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb index 73bf182ec9f..36bc98bdb1e 100644 --- a/app/models/merge_request.rb +++ b/app/models/merge_request.rb @@ -133,6 +133,10 @@ class MergeRequest < ActiveRecord::Base @link_reference_pattern ||= super("merge_requests", /(?\d+)/) end + def self.reference_valid?(reference) + reference.to_i > 0 && reference.to_i <= Gitlab::Database::MAX_INT_VALUE + end + # Returns all the merge requests from an ActiveRecord:Relation. # # This method uses a UNION as it usually operates on the result of diff --git a/lib/banzai/filter/abstract_reference_filter.rb b/lib/banzai/filter/abstract_reference_filter.rb index 4815bafe238..81d66271136 100644 --- a/lib/banzai/filter/abstract_reference_filter.rb +++ b/lib/banzai/filter/abstract_reference_filter.rb @@ -218,8 +218,9 @@ module Banzai nodes.each do |node| node.to_html.scan(regex) do project = $~[:project] || current_project_path + symbol = $~[object_sym] - refs[project] << $~[object_sym] + refs[project] << symbol if object_class.reference_valid?(symbol) end end diff --git a/lib/gitlab/database.rb b/lib/gitlab/database.rb index d76ecb54017..078609c86f1 100644 --- a/lib/gitlab/database.rb +++ b/lib/gitlab/database.rb @@ -1,5 +1,10 @@ module Gitlab module Database + # The max value of INTEGER type is the same between MySQL and PostgreSQL: + # https://www.postgresql.org/docs/9.2/static/datatype-numeric.html + # http://dev.mysql.com/doc/refman/5.7/en/integer-types.html + MAX_INT_VALUE = 2147483647 + def self.adapter_name connection.adapter_name end diff --git a/spec/lib/banzai/filter/abstract_link_filter_spec.rb b/spec/lib/banzai/filter/abstract_link_filter_spec.rb index 0c55d8e19da..1ee31a603e4 100644 --- a/spec/lib/banzai/filter/abstract_link_filter_spec.rb +++ b/spec/lib/banzai/filter/abstract_link_filter_spec.rb @@ -8,7 +8,7 @@ describe Banzai::Filter::AbstractReferenceFilter do doc = Nokogiri::HTML.fragment("#1 #{project.to_reference}#2") filter = described_class.new(doc, project: project) - expect(filter).to receive(:object_class).twice.and_return(Issue) + expect(filter).to receive(:object_class).exactly(4).times.and_return(Issue) expect(filter).to receive(:object_sym).twice.and_return(:issue) refs = filter.references_per_project diff --git a/spec/lib/banzai/filter/issue_reference_filter_spec.rb b/spec/lib/banzai/filter/issue_reference_filter_spec.rb index 25f0bc2092f..5b63c946114 100644 --- a/spec/lib/banzai/filter/issue_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/issue_reference_filter_spec.rb @@ -134,6 +134,12 @@ describe Banzai::Filter::IssueReferenceFilter, lib: true do expect(reference_filter(act).to_html).to eq exp end + + it 'ignores out-of-bounds issue IDs on the referenced project' do + exp = act = "Fixed ##{Gitlab::Database::MAX_INT_VALUE + 1}" + + expect(reference_filter(act).to_html).to eq exp + end end context 'cross-project URL reference' do diff --git a/spec/lib/banzai/filter/merge_request_reference_filter_spec.rb b/spec/lib/banzai/filter/merge_request_reference_filter_spec.rb index 3185e41fe5c..805acf1c8b3 100644 --- a/spec/lib/banzai/filter/merge_request_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/merge_request_reference_filter_spec.rb @@ -38,6 +38,12 @@ describe Banzai::Filter::MergeRequestReferenceFilter, lib: true do expect(reference_filter(act).to_html).to eq exp end + it 'ignores out-of-bounds merge request IDs on the referenced project' do + exp = act = "Merge !#{Gitlab::Database::MAX_INT_VALUE + 1}" + + expect(reference_filter(act).to_html).to eq exp + end + it 'includes a title attribute' do doc = reference_filter("Merge #{reference}") expect(doc.css('a').first.attr('title')).to eq "Merge Request: #{merge.title}"