6
49%
master: 63%

Ran 04 Oct 2016 06:55PM UTC

Files 436

Run time 53s

Badge

Embed ▾

Committed 22 Sep 2016 04:28PM UTC coverage: 59.578%. Remained the same

Job # 2.2.5, GEM=pending

Build Type

push

travis-ci

Committed by

Fryguy

Commit Message

Merge branch '5.6.z/fix/miq-expression-regexp-vulnerability' into '5.6.z'

Sanitize regex expressions from /s and #{}s

Both REGULAR EXPRESSION MATCHES and REGULAR EXPRESSION DOES NOT MATCH
have a vulnerability whereby a regular expression can be terminated in
the first part of the string that gets eval'd, allowing any arbitrary
Ruby code to be run.

They are also vulnerable to interpolation, wherein any arbitrary Ruby
code can get executed.

Unfortunately it is not possible to run these values through the
existing `MiqExpression.re_escape` method, since it also escapes special
characters which are essential to the user's forming real regular
expressions through the UI.

Because we are currently supporting values with or without the actual
bona fide delimiters present, and also regular expressions with one
option (e.g. `/abc/i`), we have to code several paths to ensure that we
escape only unescaped forward slashes that are not part of the bona fide
regular expression literal syntax.

Addresses CVE-2016-7040

See merge request !1045

Run Details

12568 of 21095 relevant lines covered (59.58%)

158.01 hits per line

ManageIQ / manageiq / 43173 / 6
49%
master: 63%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 43173.6 (2.2.5, GEM=pending)

ManageIQ / manageiq / 43173 / 6 49% master: 63%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 43173.6 (2.2.5, GEM=pending)

ManageIQ / manageiq / 43173 / 6
49%
master: 63%

README BADGES
x