Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rewrite search parser to avoid potential ReDoS attack #2807

Merged
merged 2 commits into from Oct 24, 2021

Conversation

andrew
Copy link
Member

@andrew andrew commented Oct 18, 2021

The regex from https://github.com/marcelocf/searrrch that was used to parse the repo:foo/bar search text options had the potential for someone to perform a ReDoS on an Octobox instance, so I've rewritten the search parser with a simpler method that should close that possible attack vector.

@andrew andrew added the security Relating to the security of Octoboxes users and systems label Oct 18, 2021
@andrew andrew merged commit d76db3d into master Oct 24, 2021
1 check passed
@andrew andrew deleted the searchparser-rewrite branch October 24, 2021 18:13
andrew added a commit that referenced this pull request Oct 24, 2021
* Rewrite search parser to avoid potential ReDoS attack

* Reduce duplication
andrew added a commit that referenced this pull request Oct 24, 2021
* master:
  Rewrite search parser to avoid potential ReDoS attack (#2807)
  Bump zeitwerk from 2.4.2 to 2.5.1 (#2810)
  skip flaky test
  Add lookup endpoint to find notifications by html url (#2808)
  Bump racc from 1.5.2 to 1.6.0 (#2809)
  Bump actions/checkout from 1 to 2.3.5 (#2806)
  Upgrade Ruby to 3.0.2 (#2525)
  Enable dependabot for github actions
  Bump sidekiq from 6.2.1 to 6.2.2 (#2769)
  Update spring to 3.0.0
  Update pagy
  Bump pagy from 4.11.0 to 5.0.0 (#2804)
  Bump redis from 4.5.0 to 4.5.1 (#2805)
  Update dependencies
  Bump puma from 5.5.0 to 5.5.2 (#2803)
  Bump ethon from 0.14.0 to 0.15.0 (#2802)
  Bump bugsnag from 6.23.0 to 6.24.0 (#2798)
  Bump oj from 3.13.8 to 3.13.9 (#2799)
  Bump mini_mime from 1.1.1 to 1.1.2 (#2800)
  Bump jwt from 2.2.3 to 2.3.0 (#2797)
andrew added a commit that referenced this pull request Nov 2, 2021
* WIP upgrading to octicons 15

* Bump jwt from 2.2.3 to 2.3.0 (#2797)

Bumps [jwt](https://github.com/jwt/ruby-jwt) from 2.2.3 to 2.3.0.
- [Release notes](https://github.com/jwt/ruby-jwt/releases)
- [Changelog](https://github.com/jwt/ruby-jwt/blob/master/CHANGELOG.md)
- [Commits](jwt/ruby-jwt@v2.2.3...v2.3.0)

---
updated-dependencies:
- dependency-name: jwt
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump mini_mime from 1.1.1 to 1.1.2 (#2800)

Bumps [mini_mime](https://github.com/discourse/mini_mime) from 1.1.1 to 1.1.2.
- [Release notes](https://github.com/discourse/mini_mime/releases)
- [Changelog](https://github.com/discourse/mini_mime/blob/master/CHANGELOG)
- [Commits](discourse/mini_mime@v1.1.1...v1.1.2)

---
updated-dependencies:
- dependency-name: mini_mime
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump oj from 3.13.8 to 3.13.9 (#2799)

Bumps [oj](https://github.com/ohler55/oj) from 3.13.8 to 3.13.9.
- [Release notes](https://github.com/ohler55/oj/releases)
- [Changelog](https://github.com/ohler55/oj/blob/develop/CHANGELOG.md)
- [Commits](ohler55/oj@v3.13.8...v3.13.9)

---
updated-dependencies:
- dependency-name: oj
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump bugsnag from 6.23.0 to 6.24.0 (#2798)

Bumps [bugsnag](https://github.com/bugsnag/bugsnag-ruby) from 6.23.0 to 6.24.0.
- [Release notes](https://github.com/bugsnag/bugsnag-ruby/releases)
- [Changelog](https://github.com/bugsnag/bugsnag-ruby/blob/master/CHANGELOG.md)
- [Commits](bugsnag/bugsnag-ruby@v6.23.0...v6.24.0)

---
updated-dependencies:
- dependency-name: bugsnag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump ethon from 0.14.0 to 0.15.0 (#2802)

Bumps [ethon](https://github.com/typhoeus/ethon) from 0.14.0 to 0.15.0.
- [Release notes](https://github.com/typhoeus/ethon/releases)
- [Changelog](https://github.com/typhoeus/ethon/blob/master/CHANGELOG.md)
- [Commits](typhoeus/ethon@v0.14.0...v0.15.0)

---
updated-dependencies:
- dependency-name: ethon
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump puma from 5.5.0 to 5.5.2 (#2803)

Bumps [puma](https://github.com/puma/puma) from 5.5.0 to 5.5.2.
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/master/History.md)
- [Commits](puma/puma@v5.5.0...v5.5.2)

---
updated-dependencies:
- dependency-name: puma
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update dependencies

* Bump redis from 4.5.0 to 4.5.1 (#2805)

Bumps [redis](https://github.com/redis/redis-rb) from 4.5.0 to 4.5.1.
- [Release notes](https://github.com/redis/redis-rb/releases)
- [Changelog](https://github.com/redis/redis-rb/blob/master/CHANGELOG.md)
- [Commits](redis/redis-rb@v4.5.0...v4.5.1)

---
updated-dependencies:
- dependency-name: redis
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump pagy from 4.11.0 to 5.0.0 (#2804)

* Bump pagy from 4.11.0 to 5.0.0

Bumps [pagy](https://github.com/ddnexus/pagy) from 4.11.0 to 5.0.0.
- [Release notes](https://github.com/ddnexus/pagy/releases)
- [Changelog](https://github.com/ddnexus/pagy/blob/master/CHANGELOG.md)
- [Commits](ddnexus/pagy@4.11.0...5.0.0)

---
updated-dependencies:
- dependency-name: pagy
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fixed tests

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andrew Nesbitt <andrewnez@gmail.com>

* Update pagy

* Update spring to 3.0.0

* Bump sidekiq from 6.2.1 to 6.2.2 (#2769)

* Bump sidekiq from 6.2.1 to 6.2.2

Bumps [sidekiq](https://github.com/mperham/sidekiq) from 6.2.1 to 6.2.2.
- [Release notes](https://github.com/mperham/sidekiq/releases)
- [Changelog](https://github.com/mperham/sidekiq/blob/master/Changes.md)
- [Commits](sidekiq/sidekiq@v6.2.1...v6.2.2)

---
updated-dependencies:
- dependency-name: sidekiq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update sidekiq-unique-jobs

* Update dependencies

* Update sidekiq options

* reorder sidekiq config

* skip two weird tests that only pass if OCTOBOX_BACKGROUND_JOBS_ENABLED=true

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andrew Nesbitt <andrewnez@gmail.com>

* Enable dependabot for github actions

* Upgrade Ruby to 3.0.2 (#2525)

* Ruby 3.0

* add alpine linux to bundler platforms in lockfile for docker

* Fixed some bundler problems

* Fix version of omniauth-github

* Add linux to gemfile.lock platforms

* ruby 3.0.1

* add linux support to lockfile

* ruby 3.0.2

* Update dependencies

* Update dependencies

* Update lock file

* add darwin platform to gemfile.lock

* Bump actions/checkout from 1 to 2.3.5 (#2806)

Bumps [actions/checkout](https://github.com/actions/checkout) from 1 to 2.3.5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v1...v2.3.5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump racc from 1.5.2 to 1.6.0 (#2809)

Bumps [racc](https://github.com/tenderlove/racc) from 1.5.2 to 1.6.0.
- [Release notes](https://github.com/tenderlove/racc/releases)
- [Changelog](https://github.com/ruby/racc/blob/master/ChangeLog)
- [Commits](ruby/racc@v1.5.2...v1.6.0)

---
updated-dependencies:
- dependency-name: racc
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add lookup endpoint to find notifications by html url (#2808)

* Extract notification json builder into partial

* Add to_api_url method to Octobox::SubjectUrlParser

* Add lookup endpoint to find notifications by html url

* skip flaky test

* Bump zeitwerk from 2.4.2 to 2.5.1 (#2810)

Bumps [zeitwerk](https://github.com/fxn/zeitwerk) from 2.4.2 to 2.5.1.
- [Release notes](https://github.com/fxn/zeitwerk/releases)
- [Changelog](https://github.com/fxn/zeitwerk/blob/main/CHANGELOG.md)
- [Commits](fxn/zeitwerk@v2.4.2...v2.5.1)

---
updated-dependencies:
- dependency-name: zeitwerk
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Rewrite search parser to avoid potential ReDoS attack (#2807)

* Rewrite search parser to avoid potential ReDoS attack

* Reduce duplication

* octicons 16

* remove comment

* Fix star strokes and fills

* Fix sidebar icon sizes

* Purple icons for closed issues

Fixes #2822

* new draft and closed pull request icons

* bring back keyboard icon

* Change read/unread sidebar icons

* inline more svgs using new helper

* Tweak opencollective icon

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Relating to the security of Octoboxes users and systems
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant