Merge branch 'security-fj-crlf-injection' into 'master'

[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627

1 files changed, 14 insertions, 5 deletions

diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb
index 4b1b58d68d8..fa401abc6bb 100644
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -10,11 +10,8 @@ module Gitlab
       def validate!(url, allow_localhost: false, allow_local_network: true, enforce_user: false, ports: [], protocols: [])
         return true if url.nil?
 
-        begin
-          uri = Addressable::URI.parse(url)
-        rescue Addressable::URI::InvalidURIError
-          raise BlockedUrlError, "URI is invalid"
-        end
+        # Param url can be a string, URI or Addressable::URI
+        uri = parse_url(url)
 
         # Allow imports from the GitLab instance itself but only from the configured ports
         return true if internal?(uri)
@@ -49,6 +46,18 @@ module Gitlab
 
       private
 
+      def parse_url(url)
+        raise Addressable::URI::InvalidURIError if multiline?(url)
+
+        Addressable::URI.parse(url)
+      rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
+        raise BlockedUrlError, 'URI is invalid'
+      end
+
+      def multiline?(url)
+        CGI.unescape(url.to_s) =~ /\n|\r/
+      end
+
       def validate_port!(port, ports)
         return if port.blank?
         # Only ports under 1024 are restricted