Merge branch '41293-fix-command-injection-vulnerability-on-system_hook_push-queue-through-web-hook' into 'security-10-3'

Don't allow line breaks on HTTP headers See merge request gitlab/gitlabhq!2277 (cherry picked from commit 7fc0a6fc096768a5604d6dd24d7d952e53300c82) 073b8f9c Don't allow line breaks on HTTP headers
author: Robert Speicher <robert@gitlab.com> 2018-01-05 21:36:18 +0000
committer: Stan Hu <stanhu@gmail.com> 2018-01-16 17:04:51 -0800
commit: 791ca43f3f8f12451ee1e70efc90f5d82347af93 (patch)
tree: 38408c69a00d1ec5de991a4698ce093b73545517 /app/models/hooks/web_hook.rb
parent: 536a47b4b70df0f2a8438ed0ada7654593fa5cd0 (diff)
download: gitlab-ce-791ca43f3f8f12451ee1e70efc90f5d82347af93.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/app/models/hooks/web_hook.rb b/app/models/hooks/web_hook.rb
index 5a70e114f56..27729deeac9 100644
--- a/app/models/hooks/web_hook.rb
+++ b/app/models/hooks/web_hook.rb
@@ -4,6 +4,7 @@ class WebHook < ActiveRecord::Base
   has_many :web_hook_logs, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
 
   validates :url, presence: true, url: true
+  validates :token, format: { without: /\n/ }
 
   def execute(data, hook_name)
     WebHookService.new(self, data, hook_name).execute
author	Robert Speicher <robert@gitlab.com>	2018-01-05 21:36:18 +0000
committer	Stan Hu <stanhu@gmail.com>	2018-01-16 17:04:51 -0800
commit	791ca43f3f8f12451ee1e70efc90f5d82347af93 (patch)
tree	38408c69a00d1ec5de991a4698ce093b73545517 /app/models/hooks/web_hook.rb
parent	536a47b4b70df0f2a8438ed0ada7654593fa5cd0 (diff)
download	gitlab-ce-791ca43f3f8f12451ee1e70efc90f5d82347af93.tar.gz