slack-messenger 2.3.4 → 2.3.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 41159ac77b2c985abcaa10646004e458f34b0542a68c907b93fcb9bde162944e
-  data.tar.gz: fc6b0fbc4d3c2d6764a18b6aa06e1d8002328e1653e18e94d64656655f35df04
+  metadata.gz: 4f4f125fd094ef63218f4ad86215076f640a95a0527e54ba99c44e5b603120d0
+  data.tar.gz: 2f8940ac0823981a3e82801917cfec3837c5d4fa86d869df8e95a1d83b8076c9
 SHA512:
-  metadata.gz: 0af8745e8984db10f54f1fb373a6eccab3d5bf106655d5189b1281147be8a0fb0d0d1ed3b57a16c11a555f7bf5f9dbf103cfd38684c0e0bd1d4c6b0a6330a636
-  data.tar.gz: 129722ffe887ddc8434086ef159ed14068bd8d8045c2c3651d2d37eff25770ad3d6fca34a5939b7b82aa482f023904b00495222e3b98913a99566a50027834b2
+  metadata.gz: dcc73321d59bce0389b96aff9d6e0ce4bf6525f16388ab7afb0e7a81a1501a0feaee0b68786a017d1f0a5d4f2a7cec5e57aa123527c8b6e68745c586e8290575
+  data.tar.gz: e6bfd8a355b221a8fa673284e2c0a0475b55d3eaa7f99ea584b6556f3106c6c02ec1f136d889b5961433e54e9f4dc225caf798803586b107c78e46631f06326f

data/lib/slack-messenger/util/link_formatter.rb

@@ -1,32 +1,38 @@
 # frozen_string_literal: true
 
+require_relative 'untrusted_regexp'
+
 module Slack
   class Messenger
     module Util
       class LinkFormatter
-        # http://rubular.com/r/19cNXW5qbH
-        HTML_PATTERN = %r{
-          <a
-          (?:.*?)
-          href=['"](.+?)['"]
-          (?:.*?)>
-          (.+?)
-          </a>
-        }x
+        # https://regex101.com/r/m7CTcW/1
+        HTML_PATTERN =
+          '<a' \
+            '(?:.*?)' \
+            'href=[\'"](?P<link>.+?)[\'"]' \
+          '(?:.*?)>' \
+            '(?P<text>.+?)' \
+          '</a>'
 
         VALID_URI_CHARS = '\w\-\.\~\:\/\?\#\[\]\@\!\$\&\'\*\+\,\;\='
 
         # Attempt at only matching pairs of parens per
         # the markdown spec http://spec.commonmark.org/0.27/#links
-        #
-        # https://rubular.com/r/WfdZ1arvF6PNWO
-        MARKDOWN_PATTERN = %r{
-            \[ ([^\[\]]*?) \]
-            \(
-              ( (?:https?:\/\/|mailto:)
-              (?:[#{VALID_URI_CHARS}]*?|[#{VALID_URI_CHARS}]*?\([#{VALID_URI_CHARS}]*?\)[#{VALID_URI_CHARS}]*?) )
-            \)
-        }x
+        # https://regex101.com/r/komyFe/1
+        MARKDOWN_PATTERN =
+          '\[' \
+            '(?P<text>[^\[\]]*?)' \
+          '\]' \
+          '\(' \
+            '(?P<link>' \
+              '(?:https?:\/\/|mailto:)' \
+              "(?:[#{VALID_URI_CHARS}]*?|[#{VALID_URI_CHARS}]*?\\([#{VALID_URI_CHARS}]*?\\)[#{VALID_URI_CHARS}]*?)" \
+            ')' \
+          '\)'
+
+        HTML_REGEXP = UntrustedRegexp.new(HTML_PATTERN, multiline: true)
+        MARKDOWN_REGEXP = UntrustedRegexp.new(MARKDOWN_PATTERN, multiline: true)
 
         class << self
           def format string, **opts
@@ -54,27 +60,27 @@ module Slack
 
         private
 
-          def sub_html_links string
-            return string unless formats.include?(:html)
+        def sub_html_links string
+          return string unless formats.include?(:html)
 
-            string.gsub(HTML_PATTERN) do
-              slack_link Regexp.last_match[1], Regexp.last_match[2]
-            end
+          HTML_REGEXP.replace_gsub(string) do |html_link|
+            slack_link(html_link[1], html_link[2])
           end
+        end
 
-          def sub_markdown_links string
-            return string unless formats.include?(:markdown)
+        def sub_markdown_links string
+          return string unless formats.include?(:markdown)
 
-            string.gsub(MARKDOWN_PATTERN) do
-              slack_link Regexp.last_match[2], Regexp.last_match[1]
-            end
+          MARKDOWN_REGEXP.replace_gsub(string) do |markdown_link|
+            slack_link(markdown_link[2], markdown_link[1])
           end
+        end
 
-          def slack_link link, text=nil
-            "<#{link}" \
-            "#{text && !text.empty? ? "|#{text}" : ''}" \
-            ">"
-          end
+        def slack_link link, text=nil
+          "<#{link}" \
+          "#{text && !text.empty? ? "|#{text}" : ''}" \
+          ">"
+        end
       end
     end
   end

data/lib/slack-messenger/util/untrusted_regexp.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+# An untrusted regular expression is any regexp containing patterns sourced
+# from user input.
+#
+# Ruby's built-in regular expression library allows patterns which complete in
+# exponential time, permitting denial-of-service attacks.
+#
+# Not all regular expression features are available in untrusted regexes, and
+# there is a strict limit on total execution time. See the RE2 documentation
+# at https://github.com/google/re2/wiki/Syntax for more details.
+#
+# This class doesn't change any instance variables, which allows it to be frozen
+# and setup in constants.
+#
+# This class only provides support replacing matched token with a block (like `gsub`).
+module Slack
+  class Messenger
+    module Util
+      class UntrustedRegexp
+        require 're2'
+
+        def initialize(pattern, multiline: false)
+          if multiline
+            pattern = "(?m)#{pattern}"
+          end
+
+          @regexp = RE2::Regexp.new(pattern, log_errors: false)
+          @scan_regexp = initialize_scan_regexp
+
+          raise RegexpError, regexp.error unless regexp.ok?
+        end
+
+        # There is no built-in replace with block support (like `gsub`).  We can accomplish
+        # the same thing by parsing and rebuilding the string with the substitutions.
+        def replace_gsub(text)
+          new_text = +''
+          remainder = text
+
+          matched = match(remainder)
+
+          until matched.nil? || matched.to_a.compact.empty?
+            partitioned = remainder.partition(matched.to_s)
+            new_text << partitioned.first
+            remainder = partitioned.last
+
+            new_text << yield(matched)
+
+            matched = match(remainder)
+          end
+
+          new_text << remainder
+        end
+
+        def match(text)
+          scan_regexp.match(text)
+        end
+
+        private
+
+        attr_reader :regexp, :scan_regexp
+
+        def initialize_scan_regexp
+          if regexp.number_of_capturing_groups == 0
+            RE2::Regexp.new('(' + regexp.source + ')')
+          else
+            regexp
+          end
+        end
+      end
+    end
+  end
+end

data/lib/slack-messenger/version.rb

@@ -2,6 +2,6 @@
 
 module Slack
   class Messenger
-    VERSION = "2.3.4".freeze # rubocop:disable Style/RedundantFreeze
+    VERSION = "2.3.5".freeze # rubocop:disable Style/RedundantFreeze
   end
 end

data/spec/lib/slack-messenger/untrusted_regexp_spec.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+# require 'fast_spec_helper'
+
+RSpec.describe Slack::Messenger::Util::UntrustedRegexp do
+  def create_regex(regex_str, multiline: false)
+    described_class.new(regex_str, multiline: multiline).freeze
+  end
+
+  describe '#initialize' do
+    subject { described_class.new(pattern) }
+
+    context 'invalid regexp' do
+      let(:pattern) { '[' }
+
+      it { expect { subject }.to raise_error(RegexpError) }
+    end
+  end
+
+  describe '#replace_gsub' do
+    let(:regex_str) { '(?P<scheme>(ftp))' }
+    let(:regex) { create_regex(regex_str, multiline: true) }
+
+    def result(regex, text)
+      regex.replace_gsub(text) do |match|
+        if match[:scheme]
+          "http|#{match[:scheme]}|rss"
+        else
+          match.to_s
+        end
+      end
+    end
+
+    it 'replaces all instances of the match in a string' do
+      text = 'Use only https instead of ftp'
+
+      expect(result(regex, text)).to eq('Use only https instead of http|ftp|rss')
+    end
+
+    it 'replaces nothing when no match' do
+      text = 'Use only https instead of gopher'
+
+      expect(result(regex, text)).to eq(text)
+    end
+
+    it 'handles empty text' do
+      text = ''
+
+      expect(result(regex, text)).to eq('')
+    end
+  end
+
+  describe '#match' do
+    context 'when there are matches' do
+      it 'returns a match object' do
+        result = create_regex('(?P<number>\d+)').match('hello 10')
+
+        expect(result[:number]).to eq('10')
+      end
+    end
+
+    context 'when there are no matches' do
+      it 'returns nil' do
+        result = create_regex('(?P<number>\d+)').match('hello')
+
+        expect(result).to be_nil
+      end
+    end
+  end
+end

data/spec/lib/slack-messenger/util/link_formatter_spec.rb

@@ -151,5 +151,15 @@ RSpec.describe Slack::Messenger::Util::LinkFormatter do
         expect(formatted).to eq "Hello World, enjoy [this](http://example.com)<a href='http://example2.com'>this2</a>."
       end
     end
+
+    context "handles malicious strings efficiently" do
+      let(:malicious_text) { "![" * 500000 }
+
+      subject(:format) { described_class.format(malicious_text) }
+
+      it "takes under a second" do
+        expect { Timeout.timeout(1) { subject } }.not_to raise_error
+      end
+    end
   end
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: slack-messenger
 version: !ruby/object:Gem::Version
-  version: 2.3.4
+  version: 2.3.5
 platform: ruby
 authors:
 - Steven Sloan
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-02 00:00:00.000000000 Z
-dependencies: []
+date: 2024-06-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: re2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.7.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.7.0
 description: " A slim ruby wrapper for posting to slack webhooks "
 email:
 - stevenosloan@gmail.com
@@ -29,6 +43,7 @@ files:
 - lib/slack-messenger/util/escape.rb
 - lib/slack-messenger/util/http_client.rb
 - lib/slack-messenger/util/link_formatter.rb
+- lib/slack-messenger/util/untrusted_regexp.rb
 - lib/slack-messenger/version.rb
 - spec/end_to_end_spec.rb
 - spec/integration/ping_integration_test.rb
@@ -40,6 +55,7 @@ files:
 - spec/lib/slack-messenger/payload_middleware/format_message_spec.rb
 - spec/lib/slack-messenger/payload_middleware/stack_spec.rb
 - spec/lib/slack-messenger/payload_middleware_spec.rb
+- spec/lib/slack-messenger/untrusted_regexp_spec.rb
 - spec/lib/slack-messenger/util/http_client_spec.rb
 - spec/lib/slack-messenger/util/link_formatter_spec.rb
 - spec/lib/slack-messenger_spec.rb
@@ -48,7 +64,7 @@ homepage: https://gitlab.com/gitlab-org/slack-notifier
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -63,22 +79,23 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.5.2
+signing_key:
 specification_version: 4
 summary: A slim ruby wrapper for posting to slack webhooks
 test_files:
-- spec/spec_helper.rb
+- spec/end_to_end_spec.rb
 - spec/integration/ping_integration_test.rb
-- spec/lib/slack-messenger_spec.rb
 - spec/lib/slack-messenger/config_spec.rb
-- spec/lib/slack-messenger/util/http_client_spec.rb
-- spec/lib/slack-messenger/util/link_formatter_spec.rb
 - spec/lib/slack-messenger/payload_middleware/at_spec.rb
-- spec/lib/slack-messenger/payload_middleware/format_attachments_spec.rb
+- spec/lib/slack-messenger/payload_middleware/base_spec.rb
 - spec/lib/slack-messenger/payload_middleware/channels_spec.rb
-- spec/lib/slack-messenger/payload_middleware/stack_spec.rb
+- spec/lib/slack-messenger/payload_middleware/format_attachments_spec.rb
 - spec/lib/slack-messenger/payload_middleware/format_message_spec.rb
-- spec/lib/slack-messenger/payload_middleware/base_spec.rb
+- spec/lib/slack-messenger/payload_middleware/stack_spec.rb
 - spec/lib/slack-messenger/payload_middleware_spec.rb
-- spec/end_to_end_spec.rb
+- spec/lib/slack-messenger/untrusted_regexp_spec.rb
+- spec/lib/slack-messenger/util/http_client_spec.rb
+- spec/lib/slack-messenger/util/link_formatter_spec.rb
+- spec/lib/slack-messenger_spec.rb
+- spec/spec_helper.rb