Merge pull request #10349 from vpereira/parse_date_with_date_class

Use Date.parse instead of Time.now.parse to parse user controlled date

src/api/app/jobs/project_create_auto_cleanup_requests_job.rb

@@ -56,7 +56,7 @@ def autoclean_project(prj)
       attribute = prj.attribs.find_by_attrib_type_id(@cleanup_attribute.id)
       return unless attribute
 
-      time = Time.zone.parse(attribute.values.first.value)
+      time = Date.parse(attribute.values.first.value)
     rescue TypeError, ArgumentError
       # nil time raises TypeError
       return

src/api/spec/jobs/project_create_auto_cleanup_requests_job_spec.rb

@@ -52,5 +52,23 @@
         expect(project.target_of_bs_request_actions.where(type: 'delete').count).to eq(0)
       end
     end
+
+    context 'with empty cleanup time' do
+      before do
+        attribute.values.first.value = ''
+        attribute.save
+      end
+
+      it { expect { subject }.not_to raise_error }
+    end
+
+    context 'with invalid cleanup time' do
+      before do
+        attribute.values.first.value = '200000'
+        attribute.save
+      end
+
+      it { expect { subject }.not_to raise_error }
+    end
   end
 end