Merge pull request #9634 from colinux/fix-regex-timeout

Sécurité (champ regex): timeout plus agressif à 1 seconde
This commit is contained in:
Colin Darie 2023-10-24 12:37:58 +00:00 committed by GitHub
commit 5d3d4cbd91
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 18 additions and 4 deletions

View file

@ -293,7 +293,7 @@
input[type=number],
input[type=datetime-local],
textarea,
input[type=tel], {
input[type=tel] {
@media (max-width: $two-columns-breakpoint) {
width: 100%;
}
@ -538,6 +538,17 @@
}
}
.type-de-champ-expression-reguliere {
display: flex;
align-items: center;
&:before,
&:after {
font-weight: bold;
content: "/";
}
}
[data-react-component-value^="ComboMultiple"] {
margin-bottom: $default-fields-spacer;

View file

@ -50,6 +50,7 @@
.cell.mt-1
= form.label :expression_reguliere, for: dom_id(type_de_champ, :expression_reguliere) do
= t('.expression_reguliere.labels.regex')
.type-de-champ-expression-reguliere
= form.text_field :expression_reguliere, class: "fr-input small-margin small", id: dom_id(type_de_champ, :expression_reguliere)
.cell.mt-1

View file

@ -618,7 +618,7 @@ class TypeDeChamp < ApplicationRecord
def invalid_regexp?
return false if expression_reguliere.blank?
return false if expression_reguliere_exemple_text.blank?
return false if expression_reguliere_exemple_text.match?(Regexp.new(expression_reguliere, timeout: 2.0))
return false if expression_reguliere_exemple_text.match?(Regexp.new(expression_reguliere, timeout: ExpressionReguliereValidator::TIMEOUT))
self.errors.add(:expression_reguliere_exemple_text, I18n.t('errors.messages.mismatch_regexp'))
true

View file

@ -1,7 +1,9 @@
class ExpressionReguliereValidator < ActiveModel::Validator
TIMEOUT = 1.second.freeze
def validate(record)
if record.value.present?
if !record.value.match?(Regexp.new(record.expression_reguliere, timeout: 5.0))
if !record.value.match?(Regexp.new(record.expression_reguliere, timeout: TIMEOUT))
record.errors.add(:value, :invalid_regexp, expression_reguliere_error_message: record.expression_reguliere_error_message)
end
end