| ... | ... | @@ -2,48 +2,6 @@ require 'fast_spec_helper' |
|
|
|
require 'support/shared_examples/malicious_regexp_shared_examples'
|
|
|
|
|
|
|
|
describe Gitlab::UntrustedRegexp do
|
|
|
|
describe '.valid?' do
|
|
|
|
it 'returns true if regexp is valid' do
|
|
|
|
expect(described_class.valid?('/some ( thing/'))
|
|
|
|
.to be false
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns true if regexp is invalid' do
|
|
|
|
expect(described_class.valid?('/some .* thing/'))
|
|
|
|
.to be true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.fabricate' do
|
|
|
|
context 'when regexp is using /regexp/ scheme with flags' do
|
|
|
|
it 'fabricates regexp with a single flag' do
|
|
|
|
regexp = described_class.fabricate('/something/i')
|
|
|
|
|
|
|
|
expect(regexp).to eq described_class.new('(?i)something')
|
|
|
|
expect(regexp.scan('SOMETHING')).to be_one
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'fabricates regexp with multiple flags' do
|
|
|
|
regexp = described_class.fabricate('/something/im')
|
|
|
|
|
|
|
|
expect(regexp).to eq described_class.new('(?im)something')
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'fabricates regexp without flags' do
|
|
|
|
regexp = described_class.fabricate('/something/')
|
|
|
|
|
|
|
|
expect(regexp).to eq described_class.new('something')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when regexp is a raw pattern' do
|
|
|
|
it 'raises an error' do
|
|
|
|
expect { described_class.fabricate('some .* thing') }
|
|
|
|
.to raise_error(RegexpError)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#initialize' do
|
|
|
|
subject { described_class.new(pattern) }
|
|
|
|
|
| ... | ... | @@ -92,11 +50,41 @@ describe Gitlab::UntrustedRegexp do |
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#match?' do
|
|
|
|
subject { described_class.new(regexp).match?(text) }
|
|
|
|
|
|
|
|
context 'malicious regexp' do
|
|
|
|
let(:text) { malicious_text }
|
|
|
|
let(:regexp) { malicious_regexp_re2 }
|
|
|
|
|
|
|
|
include_examples 'malicious regexp'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'matching regexp' do
|
|
|
|
let(:regexp) { 'foo' }
|
|
|
|
let(:text) { 'foo' }
|
|
|
|
|
|
|
|
it 'returns an array of nil matches' do
|
|
|
|
is_expected.to eq(true)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'non-matching regexp' do
|
|
|
|
let(:regexp) { 'boo' }
|
|
|
|
let(:text) { 'foo' }
|
|
|
|
|
|
|
|
it 'returns an array of nil matches' do
|
|
|
|
is_expected.to eq(false)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#scan' do
|
|
|
|
subject { described_class.new(regexp).scan(text) }
|
|
|
|
|
|
|
|
context 'malicious regexp' do
|
|
|
|
let(:text) { malicious_text }
|
|
|
|
let(:regexp) { malicious_regexp }
|
|
|
|
let(:regexp) { malicious_regexp_re2 }
|
|
|
|
|
|
|
|
include_examples 'malicious regexp'
|
|
|
|
end
|
| ... | ... | |
| ... | ... | |