Avoid crash when trying to parse string with invalid UTF-8 sequence

Fixes https://sentry.gitlap.com/gitlab/staginggitlabcom/issues/32226/

6 files changed, 24 insertions, 2 deletions

diff --git a/lib/constraints/group_url_constrainer.rb b/lib/constraints/group_url_constrainer.rb
index 6fc1d56d7a0..4d75f5363c1 100644
--- a/lib/constraints/group_url_constrainer.rb
+++ b/lib/constraints/group_url_constrainer.rb
@@ -1,6 +1,7 @@
 class GroupUrlConstrainer
   def matches?(request)
     full_path = request.params[:group_id] || request.params[:id]
+    full_path = Gitlab::Git::EncodingHelper.encode!(full_path)
 
     return false unless DynamicPathValidator.valid_group_path?(full_path)
 
diff --git a/lib/constraints/project_url_constrainer.rb b/lib/constraints/project_url_constrainer.rb
index 4c0aee6c48f..dda8ff1688f 100644
--- a/lib/constraints/project_url_constrainer.rb
+++ b/lib/constraints/project_url_constrainer.rb
@@ -1,7 +1,10 @@
 class ProjectUrlConstrainer
   def matches?(request)
-    namespace_path = request.params[:namespace_id]
+    namespace_path = Gitlab::Git::EncodingHelper.encode!(request.params[:namespace_id])
+
     project_path = request.params[:project_id] || request.params[:id]
+    project_path = Gitlab::Git::EncodingHelper.encode!(project_path)
+
     full_path = [namespace_path, project_path].join('/')
 
     return false unless DynamicPathValidator.valid_project_path?(full_path)
diff --git a/lib/constraints/user_url_constrainer.rb b/lib/constraints/user_url_constrainer.rb
index d16ae7f3f40..60f18746221 100644
--- a/lib/constraints/user_url_constrainer.rb
+++ b/lib/constraints/user_url_constrainer.rb
@@ -1,6 +1,6 @@
 class UserUrlConstrainer
   def matches?(request)
-    full_path = request.params[:username]
+    full_path = Gitlab::Git::EncodingHelper.encode!(request.params[:username])
 
     return false unless DynamicPathValidator.valid_user_path?(full_path)
 
diff --git a/spec/lib/constraints/group_url_constrainer_spec.rb b/spec/lib/constraints/group_url_constrainer_spec.rb
index db680489a8d..bc767f46d8e 100644
--- a/spec/lib/constraints/group_url_constrainer_spec.rb
+++ b/spec/lib/constraints/group_url_constrainer_spec.rb
@@ -30,6 +30,12 @@ describe GroupUrlConstrainer, lib: true do
       it { expect(subject.matches?(request)).to be_falsey }
     end
 
+    context 'invalid encoding' do
+      let(:request) { build_request("hi \255") }
+
+      it { expect(subject.matches?(request)).to be_falsey }
+    end
+
     context 'when the request matches a redirect route' do
       context 'for a root group' do
         let!(:redirect_route) { group.redirect_routes.create!(path: 'gitlabb') }
diff --git a/spec/lib/constraints/project_url_constrainer_spec.rb b/spec/lib/constraints/project_url_constrainer_spec.rb
index b6884e37aa3..4b1a1e2f607 100644
--- a/spec/lib/constraints/project_url_constrainer_spec.rb
+++ b/spec/lib/constraints/project_url_constrainer_spec.rb
@@ -39,6 +39,12 @@ describe ProjectUrlConstrainer, lib: true do
         it { expect(subject.matches?(request)).to be_falsey }
       end
     end
+
+    context 'invalid encoding' do
+      let(:request) { build_request("hi \255", "bye \255") }
+
+      it { expect(subject.matches?(request)).to be_falsey }
+    end
   end
 
   def build_request(namespace, project, method = 'GET')
diff --git a/spec/lib/constraints/user_url_constrainer_spec.rb b/spec/lib/constraints/user_url_constrainer_spec.rb
index ed69b830979..3a53834a875 100644
--- a/spec/lib/constraints/user_url_constrainer_spec.rb
+++ b/spec/lib/constraints/user_url_constrainer_spec.rb
@@ -30,6 +30,12 @@ describe UserUrlConstrainer, lib: true do
         it { expect(subject.matches?(request)).to be_falsey }
       end
     end
+
+    context 'invalid encoding' do
+      let(:request) { build_request("hi \255") }
+
+      it { expect(subject.matches?(request)).to be_falsey }
+    end
   end
 
   def build_request(username, method = 'GET')