Merge branch '41293-fix-command-injection-vulnerability-on-system_hook_push-queue-through-web-hook' into 'security-10-3'

Don't allow line breaks on HTTP headers

See merge request gitlab/gitlabhq!2277

(cherry picked from commit 7fc0a6fc096768a5604d6dd24d7d952e53300c82)

073b8f9c Don't allow line breaks on HTTP headers

2 files changed, 22 insertions, 0 deletions

diff --git a/spec/lib/gitlab/utils_spec.rb b/spec/lib/gitlab/utils_spec.rb
index e872a5290c5..bda239b7871 100644
--- a/spec/lib/gitlab/utils_spec.rb
+++ b/spec/lib/gitlab/utils_spec.rb
@@ -17,6 +17,22 @@ describe Gitlab::Utils do
     end
   end
 
+  describe '.remove_line_breaks' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:original, :expected) do
+      "foo\nbar\nbaz"     | "foobarbaz"
+      "foo\r\nbar\r\nbaz" | "foobarbaz"
+      "foobar"            | "foobar"
+    end
+
+    with_them do
+      it "replace line breaks with an empty string" do
+        expect(described_class.remove_line_breaks(original)).to eq(expected)
+      end
+    end
+  end
+
   describe '.to_boolean' do
     it 'accepts booleans' do
       expect(to_boolean(true)).to be(true)
diff --git a/spec/models/hooks/web_hook_spec.rb b/spec/models/hooks/web_hook_spec.rb
index 388120160ab..ea6d6e53ef5 100644
--- a/spec/models/hooks/web_hook_spec.rb
+++ b/spec/models/hooks/web_hook_spec.rb
@@ -29,6 +29,12 @@ describe WebHook do
         expect(hook.url).to eq('https://example.com')
       end
     end
+
+    describe 'token' do
+      it { is_expected.to allow_value("foobar").for(:token) }
+
+      it { is_expected.not_to allow_values("foo\nbar", "foo\r\nbar").for(:token) }
+    end
   end
 
   describe 'execute' do