Merge branch 'security-open-redirect-internalredirect-12-4' into '12-4-stable'

Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.

See merge request gitlab/gitlabhq!3488

3 files changed, 8 insertions, 2 deletions

diff --git a/app/controllers/concerns/internal_redirect.rb b/app/controllers/concerns/internal_redirect.rb
index 99bbfd56516..a35bc19aa37 100644
--- a/app/controllers/concerns/internal_redirect.rb
+++ b/app/controllers/concerns/internal_redirect.rb
@@ -6,7 +6,7 @@ module InternalRedirect
   def safe_redirect_path(path)
     return unless path
     # Verify that the string starts with a `/` and a known route character.
-    return unless path =~ %r{^/[-\w].*$}
+    return unless path =~ %r{\A/[-\w].*\z}
 
     uri = URI(path)
     # Ignore anything path of the redirect except for the path, querystring and,
diff --git a/changelogs/unreleased/security-open-redirect-internalredirect.yml b/changelogs/unreleased/security-open-redirect-internalredirect.yml
new file mode 100644
index 00000000000..5ac65a4b355
--- /dev/null
+++ b/changelogs/unreleased/security-open-redirect-internalredirect.yml
@@ -0,0 +1,5 @@
+---
+title: Fixes a Open Redirect issue in `InternalRedirect`.
+merge_request:
+author:
+type: security
diff --git a/spec/controllers/concerns/internal_redirect_spec.rb b/spec/controllers/concerns/internal_redirect_spec.rb
index da68c8c8697..e5e50cfd55e 100644
--- a/spec/controllers/concerns/internal_redirect_spec.rb
+++ b/spec/controllers/concerns/internal_redirect_spec.rb
@@ -19,7 +19,8 @@ describe InternalRedirect do
       [
         'Hello world',
         '//example.com/hello/world',
-        'https://example.com/hello/world'
+        'https://example.com/hello/world',
+        "not-starting-with-a-slash\n/starting/with/slash"
       ]
     end