Merge pull request #285 from cjmartian/fix-vulns

Escape lengthy regex, use File instead of IO

Author: cjmartian

lib/octocatalog-diff/catalog-diff/display/text.rb

@@ -307,6 +307,9 @@ def self.adjust_position_of_plus_minus(string_in)
         # @param string_in [String] Input string, which might contain trailing whitespace
         # @return [String] Modified string
         def self.make_trailing_whitespace_visible(string_in)
+          if string_in.length > 1000
+            raise ArgumentError, "Input string too long"
+          end
           return string_in unless string_in =~ /\A((?:.|\n)*?)(\s+)(\e\[0m)?\Z/
           beginning = Regexp.last_match(1)
           trailing_space = Regexp.last_match(2)

lib/octocatalog-diff/catalog-util/builddir.rb

@@ -155,6 +155,9 @@ def install_fact_file(logger, options)
         elsif options[:fact_file]
           raise Errno::ENOENT, "Fact file #{options[:fact_file]} does not exist" unless File.file?(options[:fact_file])
           fact_file_opts = { fact_file_string: File.read(options[:fact_file]) }
+          if options[:fact_file].length > 1000
+            raise ArgumentError, "Input too long"
+          end
           fact_file_opts[:backend] = Regexp.last_match(1).to_sym if options[:fact_file] =~ /.*\.(\w+)$/
           OctocatalogDiff::Facts.new(fact_file_opts)
         else

rake/doc.rb

@@ -21,7 +21,7 @@ def file_content(filename)
       @fc ||= {}
       @fc[filename] ||= begin
         comments = []
-        IO.readlines(filename).each do |line|
+        File.readlines(filename).each do |line|
           next if line =~ /^#\s*@/
           next if line.strip == '# frozen_string_literal: true'
           if line =~ /^#(.+)/