New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rewrite search parser to avoid potential ReDoS attack #2807
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrew
added a commit
that referenced
this pull request
Oct 24, 2021
* Rewrite search parser to avoid potential ReDoS attack * Reduce duplication
andrew
added a commit
that referenced
this pull request
Oct 24, 2021
* master: Rewrite search parser to avoid potential ReDoS attack (#2807) Bump zeitwerk from 2.4.2 to 2.5.1 (#2810) skip flaky test Add lookup endpoint to find notifications by html url (#2808) Bump racc from 1.5.2 to 1.6.0 (#2809) Bump actions/checkout from 1 to 2.3.5 (#2806) Upgrade Ruby to 3.0.2 (#2525) Enable dependabot for github actions Bump sidekiq from 6.2.1 to 6.2.2 (#2769) Update spring to 3.0.0 Update pagy Bump pagy from 4.11.0 to 5.0.0 (#2804) Bump redis from 4.5.0 to 4.5.1 (#2805) Update dependencies Bump puma from 5.5.0 to 5.5.2 (#2803) Bump ethon from 0.14.0 to 0.15.0 (#2802) Bump bugsnag from 6.23.0 to 6.24.0 (#2798) Bump oj from 3.13.8 to 3.13.9 (#2799) Bump mini_mime from 1.1.1 to 1.1.2 (#2800) Bump jwt from 2.2.3 to 2.3.0 (#2797)
andrew
added a commit
that referenced
this pull request
Nov 2, 2021
* WIP upgrading to octicons 15 * Bump jwt from 2.2.3 to 2.3.0 (#2797) Bumps [jwt](https://github.com/jwt/ruby-jwt) from 2.2.3 to 2.3.0. - [Release notes](https://github.com/jwt/ruby-jwt/releases) - [Changelog](https://github.com/jwt/ruby-jwt/blob/master/CHANGELOG.md) - [Commits](jwt/ruby-jwt@v2.2.3...v2.3.0) --- updated-dependencies: - dependency-name: jwt dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump mini_mime from 1.1.1 to 1.1.2 (#2800) Bumps [mini_mime](https://github.com/discourse/mini_mime) from 1.1.1 to 1.1.2. - [Release notes](https://github.com/discourse/mini_mime/releases) - [Changelog](https://github.com/discourse/mini_mime/blob/master/CHANGELOG) - [Commits](discourse/mini_mime@v1.1.1...v1.1.2) --- updated-dependencies: - dependency-name: mini_mime dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump oj from 3.13.8 to 3.13.9 (#2799) Bumps [oj](https://github.com/ohler55/oj) from 3.13.8 to 3.13.9. - [Release notes](https://github.com/ohler55/oj/releases) - [Changelog](https://github.com/ohler55/oj/blob/develop/CHANGELOG.md) - [Commits](ohler55/oj@v3.13.8...v3.13.9) --- updated-dependencies: - dependency-name: oj dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump bugsnag from 6.23.0 to 6.24.0 (#2798) Bumps [bugsnag](https://github.com/bugsnag/bugsnag-ruby) from 6.23.0 to 6.24.0. - [Release notes](https://github.com/bugsnag/bugsnag-ruby/releases) - [Changelog](https://github.com/bugsnag/bugsnag-ruby/blob/master/CHANGELOG.md) - [Commits](bugsnag/bugsnag-ruby@v6.23.0...v6.24.0) --- updated-dependencies: - dependency-name: bugsnag dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump ethon from 0.14.0 to 0.15.0 (#2802) Bumps [ethon](https://github.com/typhoeus/ethon) from 0.14.0 to 0.15.0. - [Release notes](https://github.com/typhoeus/ethon/releases) - [Changelog](https://github.com/typhoeus/ethon/blob/master/CHANGELOG.md) - [Commits](typhoeus/ethon@v0.14.0...v0.15.0) --- updated-dependencies: - dependency-name: ethon dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump puma from 5.5.0 to 5.5.2 (#2803) Bumps [puma](https://github.com/puma/puma) from 5.5.0 to 5.5.2. - [Release notes](https://github.com/puma/puma/releases) - [Changelog](https://github.com/puma/puma/blob/master/History.md) - [Commits](puma/puma@v5.5.0...v5.5.2) --- updated-dependencies: - dependency-name: puma dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependencies * Bump redis from 4.5.0 to 4.5.1 (#2805) Bumps [redis](https://github.com/redis/redis-rb) from 4.5.0 to 4.5.1. - [Release notes](https://github.com/redis/redis-rb/releases) - [Changelog](https://github.com/redis/redis-rb/blob/master/CHANGELOG.md) - [Commits](redis/redis-rb@v4.5.0...v4.5.1) --- updated-dependencies: - dependency-name: redis dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump pagy from 4.11.0 to 5.0.0 (#2804) * Bump pagy from 4.11.0 to 5.0.0 Bumps [pagy](https://github.com/ddnexus/pagy) from 4.11.0 to 5.0.0. - [Release notes](https://github.com/ddnexus/pagy/releases) - [Changelog](https://github.com/ddnexus/pagy/blob/master/CHANGELOG.md) - [Commits](ddnexus/pagy@4.11.0...5.0.0) --- updated-dependencies: - dependency-name: pagy dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Fixed tests Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Nesbitt <andrewnez@gmail.com> * Update pagy * Update spring to 3.0.0 * Bump sidekiq from 6.2.1 to 6.2.2 (#2769) * Bump sidekiq from 6.2.1 to 6.2.2 Bumps [sidekiq](https://github.com/mperham/sidekiq) from 6.2.1 to 6.2.2. - [Release notes](https://github.com/mperham/sidekiq/releases) - [Changelog](https://github.com/mperham/sidekiq/blob/master/Changes.md) - [Commits](sidekiq/sidekiq@v6.2.1...v6.2.2) --- updated-dependencies: - dependency-name: sidekiq dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Update sidekiq-unique-jobs * Update dependencies * Update sidekiq options * reorder sidekiq config * skip two weird tests that only pass if OCTOBOX_BACKGROUND_JOBS_ENABLED=true Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Nesbitt <andrewnez@gmail.com> * Enable dependabot for github actions * Upgrade Ruby to 3.0.2 (#2525) * Ruby 3.0 * add alpine linux to bundler platforms in lockfile for docker * Fixed some bundler problems * Fix version of omniauth-github * Add linux to gemfile.lock platforms * ruby 3.0.1 * add linux support to lockfile * ruby 3.0.2 * Update dependencies * Update dependencies * Update lock file * add darwin platform to gemfile.lock * Bump actions/checkout from 1 to 2.3.5 (#2806) Bumps [actions/checkout](https://github.com/actions/checkout) from 1 to 2.3.5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v1...v2.3.5) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump racc from 1.5.2 to 1.6.0 (#2809) Bumps [racc](https://github.com/tenderlove/racc) from 1.5.2 to 1.6.0. - [Release notes](https://github.com/tenderlove/racc/releases) - [Changelog](https://github.com/ruby/racc/blob/master/ChangeLog) - [Commits](ruby/racc@v1.5.2...v1.6.0) --- updated-dependencies: - dependency-name: racc dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add lookup endpoint to find notifications by html url (#2808) * Extract notification json builder into partial * Add to_api_url method to Octobox::SubjectUrlParser * Add lookup endpoint to find notifications by html url * skip flaky test * Bump zeitwerk from 2.4.2 to 2.5.1 (#2810) Bumps [zeitwerk](https://github.com/fxn/zeitwerk) from 2.4.2 to 2.5.1. - [Release notes](https://github.com/fxn/zeitwerk/releases) - [Changelog](https://github.com/fxn/zeitwerk/blob/main/CHANGELOG.md) - [Commits](fxn/zeitwerk@v2.4.2...v2.5.1) --- updated-dependencies: - dependency-name: zeitwerk dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Rewrite search parser to avoid potential ReDoS attack (#2807) * Rewrite search parser to avoid potential ReDoS attack * Reduce duplication * octicons 16 * remove comment * Fix star strokes and fills * Fix sidebar icon sizes * Purple icons for closed issues Fixes #2822 * new draft and closed pull request icons * bring back keyboard icon * Change read/unread sidebar icons * inline more svgs using new helper * Tweak opencollective icon Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
The regex from https://github.com/marcelocf/searrrch that was used to parse the
repo:foo/barsearch text options had the potential for someone to perform a ReDoS on an Octobox instance, so I've rewritten the search parser with a simpler method that should close that possible attack vector.