Truncate value string to code scanning alert

There was a `Polynomial regular expression used on uncontrolled data` alert due to the potential length of the string on which we're then calling match. The fix is to truncate the string. The assumption here is that any such string would include a very long key, so the cropping includes an ending "}".
alphagov · Mar 5, 2025 · 75fbcc8 · 75fbcc8
1 parent b440a73
commit 75fbcc8
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/app/models/facet.rb b/app/models/facet.rb
@@ -106,7 +106,7 @@ def extract_nested_allowed_values(values_string)
     def extract_label_and_value(str, gsub_character)
       label = str.match(/^(.+){/)
       label = label.nil? ? str.strip : label[1].strip
-      value = str.match(/{(.+)}/)
+      value = str.truncate(500, omission: "}").match(/{(.+)}/)
       value = value.nil? ? str.strip.downcase.gsub(/[^\w\d\s]/, "").gsub(/\s/u, gsub_character) : value[1].strip
 
       [label, value]

diff --git a/spec/models/facet_spec.rb b/spec/models/facet_spec.rb
@@ -144,6 +144,12 @@
         facet = Facet.from_finder_admin_form_params(params)
         expect(facet.allowed_values).to eq(nil)
       end
+
+      it "truncates a value string if it's longer than 250 characters" do
+        params = { "type" => "enum_text_multiple", "allowed_values" => "LL {#{'V' * 500}}" }
+        facet = Facet.from_finder_admin_form_params(params)
+        expect(facet.allowed_values).to eq([{ label: "LL", value: "V" * 495 }])
+      end
     end
 
     describe "converting the facet 'type' and setting the corresponding specialist_publisher_properties" do