Merge pull request #9634 from colinux/fix-regex-timeout

Sécurité (champ regex): timeout plus agressif à 1 seconde
demarches-simplifiees · Oct 24, 2023 · 5d3d4cb · 5d3d4cb
2 parents 3487a5f + d87c7ca
commit 5d3d4cb
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 4 deletions.
diff --git a/app/assets/stylesheets/forms.scss b/app/assets/stylesheets/forms.scss
@@ -293,7 +293,7 @@
   input[type=number],
   input[type=datetime-local],
   textarea,
-  input[type=tel], {
+  input[type=tel] {
     @media (max-width: $two-columns-breakpoint) {
       width: 100%;
     }
@@ -538,6 +538,17 @@
   }
 }
 
+.type-de-champ-expression-reguliere {
+  display: flex;
+  align-items: center;
+
+  &:before,
+  &:after {
+    font-weight: bold;
+    content: "/";
+  }
+}
+
 [data-react-component-value^="ComboMultiple"] {
   margin-bottom: $default-fields-spacer;
 

diff --git a/app/components/types_de_champ_editor/champ_component/champ_component.html.haml b/app/components/types_de_champ_editor/champ_component/champ_component.html.haml
@@ -50,7 +50,8 @@
               .cell.mt-1
                 = form.label :expression_reguliere, for: dom_id(type_de_champ, :expression_reguliere) do
                   = t('.expression_reguliere.labels.regex')
-                = form.text_field :expression_reguliere, class: "fr-input small-margin small", id: dom_id(type_de_champ, :expression_reguliere)
+                .type-de-champ-expression-reguliere
+                  = form.text_field :expression_reguliere, class: "fr-input small-margin small", id: dom_id(type_de_champ, :expression_reguliere)
 
               .cell.mt-1
                 = form.label :expression_reguliere_exemple_text, for: dom_id(type_de_champ, :expression_reguliere_exemple_text) do

diff --git a/app/models/type_de_champ.rb b/app/models/type_de_champ.rb
@@ -618,7 +618,7 @@ def routable?
   def invalid_regexp?
     return false if expression_reguliere.blank?
     return false if expression_reguliere_exemple_text.blank?
-    return false if expression_reguliere_exemple_text.match?(Regexp.new(expression_reguliere, timeout: 2.0))
+    return false if expression_reguliere_exemple_text.match?(Regexp.new(expression_reguliere, timeout: ExpressionReguliereValidator::TIMEOUT))
 
     self.errors.add(:expression_reguliere_exemple_text, I18n.t('errors.messages.mismatch_regexp'))
     true

diff --git a/app/validators/expression_reguliere_validator.rb b/app/validators/expression_reguliere_validator.rb
@@ -1,7 +1,9 @@
 class ExpressionReguliereValidator < ActiveModel::Validator
+  TIMEOUT = 1.second.freeze
+
   def validate(record)
     if record.value.present?
-      if !record.value.match?(Regexp.new(record.expression_reguliere, timeout: 5.0))
+      if !record.value.match?(Regexp.new(record.expression_reguliere, timeout: TIMEOUT))
         record.errors.add(:value, :invalid_regexp, expression_reguliere_error_message: record.expression_reguliere_error_message)
       end
     end