diff options
author | Joern Schneeweisz <jschneeweisz@gitlab.com> | 2019-10-08 08:53:36 +0200 |
---|---|---|
committer | Joern Schneeweisz <jschneeweisz@gitlab.com> | 2019-10-14 13:46:11 +0200 |
commit | 337610619a531bd50f35b3a4eb900c8a68bed527 (patch) | |
tree | c398aa5828487b0a71b22a4063b63c312399fc97 | |
parent | 50d93f8d1686950fc58dda4823c4835fd0d8c14b (diff) | |
download | gitlab-ce-337610619a531bd50f35b3a4eb900c8a68bed527.tar.gz |
Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.
Fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/2934 and https://gitlab.com/gitlab-org/gitlab/issues/33569
-rw-r--r-- | app/controllers/concerns/internal_redirect.rb | 2 | ||||
-rw-r--r-- | spec/controllers/concerns/internal_redirect_spec.rb | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/app/controllers/concerns/internal_redirect.rb b/app/controllers/concerns/internal_redirect.rb index 99bbfd56516..a35bc19aa37 100644 --- a/app/controllers/concerns/internal_redirect.rb +++ b/app/controllers/concerns/internal_redirect.rb @@ -6,7 +6,7 @@ module InternalRedirect def safe_redirect_path(path) return unless path # Verify that the string starts with a `/` and a known route character. - return unless path =~ %r{^/[-\w].*$} + return unless path =~ %r{\A/[-\w].*\z} uri = URI(path) # Ignore anything path of the redirect except for the path, querystring and, diff --git a/spec/controllers/concerns/internal_redirect_spec.rb b/spec/controllers/concerns/internal_redirect_spec.rb index da68c8c8697..e5e50cfd55e 100644 --- a/spec/controllers/concerns/internal_redirect_spec.rb +++ b/spec/controllers/concerns/internal_redirect_spec.rb @@ -19,7 +19,8 @@ describe InternalRedirect do [ 'Hello world', '//example.com/hello/world', - 'https://example.com/hello/world' + 'https://example.com/hello/world', + "not-starting-with-a-slash\n/starting/with/slash" ] end |