Merge branch 'sh-handle-string-null-bytes' into 'master'

Gracefully handle references with null bytes

Closes #54466

See merge request gitlab-org/gitlab-ce!23365

3 files changed, 11 insertions, 1 deletions

diff --git a/changelogs/unreleased/sh-handle-string-null-bytes.yml b/changelogs/unreleased/sh-handle-string-null-bytes.yml
new file mode 100644
index 00000000000..edc045274e3
--- /dev/null
+++ b/changelogs/unreleased/sh-handle-string-null-bytes.yml
@@ -0,0 +1,5 @@
+---
+title: Gracefully handle references with null bytes
+merge_request: 23365
+author:
+type: fixed
diff --git a/lib/gitlab/git_ref_validator.rb b/lib/gitlab/git_ref_validator.rb
index a90b69ff42b..3f13ebeb9d0 100644
--- a/lib/gitlab/git_ref_validator.rb
+++ b/lib/gitlab/git_ref_validator.rb
@@ -13,7 +13,11 @@ module Gitlab
       return false if ref_name.start_with?(*not_allowed_prefixes)
       return false if ref_name == 'HEAD'
 
-      Rugged::Reference.valid_name? "refs/heads/#{ref_name}"
+      begin
+        Rugged::Reference.valid_name?("refs/heads/#{ref_name}")
+      rescue ArgumentError
+        return false
+      end
     end
   end
 end
diff --git a/spec/lib/gitlab/git_ref_validator_spec.rb b/spec/lib/gitlab/git_ref_validator_spec.rb
index ba7fb168a3b..3ab04a1c46d 100644
--- a/spec/lib/gitlab/git_ref_validator_spec.rb
+++ b/spec/lib/gitlab/git_ref_validator_spec.rb
@@ -27,4 +27,5 @@ describe Gitlab::GitRefValidator do
   it { expect(described_class.validate('-branch')).to be_falsey }
   it { expect(described_class.validate('.tag')).to be_falsey }
   it { expect(described_class.validate('my branch')).to be_falsey }
+  it { expect(described_class.validate("\xA0\u0000\xB0")).to be_falsey }
 end