Merge pull request #267 from github/dangoor/redos

Ensure that version list won't cause a timeout
github · Aug 13, 2024 · 45e0f9c · 45e0f9c
2 parents 38fcaca + e45e7d2
commit 45e0f9c
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/dist/index.js b/dist/index.js
@@ -176,6 +176,14 @@ async function availableGemVersions(gemExe) {
   };
 
   await exec.exec(gemExe, ['list', 'licensed', '--exact', '--remote', '--all', '--quiet'], options);
+
+  // Ensure that versions is not long enough to cause a timeout
+  // See https://github.com/github/setup-licensed/security/code-scanning/1
+  if (listOutput.length > 10000) {
+    core.warning('`gem list licensed` output is too long');
+    core.debug(listOutput);
+    return [];
+  }
   const versionsMatch = listOutput.match(/\((?<versions>([^,)]+(,\s)?)*)\)/);
   if (!versionsMatch || !versionsMatch.groups || !versionsMatch.groups.versions) {
     core.warning('no versions found from `gem list licensed`');

diff --git a/lib/installers/gem.js b/lib/installers/gem.js
@@ -17,6 +17,14 @@ async function availableGemVersions(gemExe) {
   };
 
   await exec.exec(gemExe, ['list', 'licensed', '--exact', '--remote', '--all', '--quiet'], options);
+
+  // Ensure that versions is not long enough to cause a timeout
+  // See https://github.com/github/setup-licensed/security/code-scanning/1
+  if (listOutput.length > 10000) {
+    core.warning('`gem list licensed` output is too long');
+    core.debug(listOutput);
+    return [];
+  }
   const versionsMatch = listOutput.match(/\((?<versions>([^,)]+(,\s)?)*)\)/);
   if (!versionsMatch || !versionsMatch.groups || !versionsMatch.groups.versions) {
     core.warning('no versions found from `gem list licensed`');