diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-09-19 03:46:31 +0000 |
|---|---|---|
| committer | Robert Speicher <robert@gitlab.com> | 2017-09-19 03:46:31 +0000 |
| commit | ff594bb3a9e5fae72a286132b88e2f1ebd4549af (patch) | |
| tree | e8ea7c046053d9d42a73980be4ff1e6d887785ca | |
| parent | 8cb06b0b5fedaf296bbe8439f2714d826a401ce4 (diff) | |
| parent | 0169dd7f6f82bc91635a3d8ddfa8bd4b6a98f2eb (diff) | |
| download | gitlab-ce-ff594bb3a9e5fae72a286132b88e2f1ebd4549af.tar.gz | |
Merge branch '34259-project-denial-of-service-via-gitmodules-fix' into 'master'
Fixes project denial of service via gitmodules using Extended ASCII.
Closes #34259
See merge request gitlab-org/gitlab-ce!14301
| -rw-r--r-- | app/helpers/submodule_helper.rb | 12 | ||||
| -rw-r--r-- | changelogs/unreleased/34259-project-denial-of-service-via-gitmodules-fix.yml | 5 | ||||
| -rw-r--r-- | spec/helpers/submodule_helper_spec.rb | 6 |
3 files changed, 19 insertions, 4 deletions
diff --git a/app/helpers/submodule_helper.rb b/app/helpers/submodule_helper.rb index 88f7702db1e..40d69e30188 100644 --- a/app/helpers/submodule_helper.rb +++ b/app/helpers/submodule_helper.rb @@ -87,10 +87,14 @@ module SubmoduleHelper namespace = @project.namespace.full_path end - [ - namespace_project_path(namespace, base), - namespace_project_tree_path(namespace, base, commit) - ] + begin + [ + namespace_project_path(namespace, base), + namespace_project_tree_path(namespace, base, commit) + ] + rescue ActionController::UrlGenerationError + [nil, nil] + end end def sanitize_submodule_url(url) diff --git a/changelogs/unreleased/34259-project-denial-of-service-via-gitmodules-fix.yml b/changelogs/unreleased/34259-project-denial-of-service-via-gitmodules-fix.yml new file mode 100644 index 00000000000..8260f7fa4b2 --- /dev/null +++ b/changelogs/unreleased/34259-project-denial-of-service-via-gitmodules-fix.yml @@ -0,0 +1,5 @@ +--- +title: Fixes project denial of service via gitmodules using Extended ASCII. +merge_request: 14301 +author: +type: fixed diff --git a/spec/helpers/submodule_helper_spec.rb b/spec/helpers/submodule_helper_spec.rb index c4f4e0d21dc..5a2e4b34069 100644 --- a/spec/helpers/submodule_helper_spec.rb +++ b/spec/helpers/submodule_helper_spec.rb @@ -147,6 +147,12 @@ describe SubmoduleHelper do expect(helper.submodule_links(submodule_item)).to eq([nil, nil]) end + it 'sanitizes invalid URL with extended ASCII' do + stub_url('é') + + expect(helper.submodule_links(submodule_item)).to eq([nil, nil]) + end + it 'returns original' do stub_url('http://mygitserver.com/gitlab-org/gitlab-ce') expect(submodule_links(submodule_item)).to eq([repo.submodule_url_for, nil]) |