diff options
author | Joern Schneeweisz <jschneeweisz@gitlab.com> | 2019-10-08 08:53:36 +0200 |
---|---|---|
committer | Joern Schneeweisz <jschneeweisz@gitlab.com> | 2019-10-14 13:53:47 +0200 |
commit | 2ea5debad48b5c5b0e07d70f09c6439d1fa636b9 (patch) | |
tree | 1087f672d514f81275596c4c7087665cc84d47f9 | |
parent | 635e1578219d95ee683cd2901fa5d0f6965e7033 (diff) | |
download | gitlab-ce-2ea5debad48b5c5b0e07d70f09c6439d1fa636b9.tar.gz |
Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.
Fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/2934 and https://gitlab.com/gitlab-org/gitlab/issues/33569
-rw-r--r-- | app/controllers/concerns/internal_redirect.rb | 2 | ||||
-rw-r--r-- | spec/controllers/concerns/internal_redirect_spec.rb | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/app/controllers/concerns/internal_redirect.rb b/app/controllers/concerns/internal_redirect.rb index fa3716502a0..e314953bb79 100644 --- a/app/controllers/concerns/internal_redirect.rb +++ b/app/controllers/concerns/internal_redirect.rb @@ -6,7 +6,7 @@ module InternalRedirect def safe_redirect_path(path) return unless path # Verify that the string starts with a `/` and a known route character. - return unless path =~ %r{^/[-\w].*$} + return unless path =~ %r{\A/[-\w].*\z} uri = URI(path) # Ignore anything path of the redirect except for the path, querystring and, diff --git a/spec/controllers/concerns/internal_redirect_spec.rb b/spec/controllers/concerns/internal_redirect_spec.rb index da68c8c8697..e5e50cfd55e 100644 --- a/spec/controllers/concerns/internal_redirect_spec.rb +++ b/spec/controllers/concerns/internal_redirect_spec.rb @@ -19,7 +19,8 @@ describe InternalRedirect do [ 'Hello world', '//example.com/hello/world', - 'https://example.com/hello/world' + 'https://example.com/hello/world', + "not-starting-with-a-slash\n/starting/with/slash" ] end |