From 4ec6b5a2e813d335a2fb2849fb4b65bcb90e4cf3 Mon Sep 17 00:00:00 2001
From: Kevin Dangoor <dangoor@github.com>
Date: Tue, 13 Aug 2024 16:26:29 +0000
Subject: [PATCH] Ensure that we don't have a vulnerability from cabal

This makes sure we don't get a homepage URL from cabal that's too
long and causes a performance issue leading to a denial of service.

Fixes https://github.com/github/licensed/security/code-scanning/1
---
 lib/licensed/sources/cabal.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/licensed/sources/cabal.rb b/lib/licensed/sources/cabal.rb
index 73936194..fe4ab49c 100644
--- a/lib/licensed/sources/cabal.rb
+++ b/lib/licensed/sources/cabal.rb
@@ -71,6 +71,12 @@ def package_docs_dirs(package)
       # Returns a homepage url that enforces https and removes url fragments
       def safe_homepage(homepage)
         return unless homepage
+        # Ensure there's no denial of service issue with a long homepage
+        # 1000 characters is likely enough for any real project homepage
+        # See https://github.com/github/licensed/security/code-scanning/1
+        if homepage.length > 1000
+          raise ArgumentError, "Input too long"
+        end
         # use https and remove url fragment
         homepage.gsub(/http:/, "https:")
                 .gsub(/#[^?]*\z/, "")