Missing validation for expires at
Summary
The Expirable concern doesn't validate the date value provided as input.
Steps to reproduce
Two different scenarios are observed when creating any object/relation that supports expire (includes the Expirable concern):
-
expires_at
date is invalid:- Create a new Personal Access/Deploy Token with expire at value "invalid"
- The Personal Access/Deploy Token is create without expire date (Never)
-
expires_at
date is in the past:- Create Personal Access/Deploy Token with expire at value representing yesterdays date
- The Personal Access/Deploy Token is create in the DB
- The Personal Access/Deploy Token is not listed in the valid tokens list (already expired).
What is the current bug behavior?
- It is possible to create already expired token when the provided expire at value is in the past
- It possible to create a token that never expires when an expires at value was provided
What is the expected correct behavior?
The creation of tokens should be denied if provided expires at is invalid or in the past.
Output of checks
This bug happens on GitLab.com