1 files changed, 30 insertions, 0 deletions

diff --git a/lib/api/helpers/custom_validators.rb b/lib/api/helpers/custom_validators.rb
index 4c15c1d01cd..b4523d7b436 100644
--- a/lib/api/helpers/custom_validators.rb
+++ b/lib/api/helpers/custom_validators.rb
@@ -56,6 +56,35 @@ module API
                                                message: "should be an array, 'None' or 'Any'"
         end
       end
+
+      class GitRef < Grape::Validations::Base
+        # There are few checks that a Git reference should pass through to be valid reference.
+        # The link contains some rules that have been added to this validator.
+        # https://mirrors.edge.kernel.org/pub/software/scm/git/docs/git-check-ref-format.html
+        # We have skipped some checks that are optional and can be skipped for exception.
+        # We also check for control characters, More info on ctrl chars - https://ruby-doc.org/core-2.7.0/Regexp.html#class-Regexp-label-Character+Classes
+        INVALID_CHARS = Regexp.union('..', '\\', '@', '@{', ' ', '~', '^', ':', '*', '?', '[', /[[:cntrl:]]/).freeze
+        GIT_REF_LENGTH = (1..1024).freeze
+
+        def validate_param!(attr_name, params)
+          revision = params[attr_name]
+
+          return unless invalid_character?(revision)
+
+          raise Grape::Exceptions::Validation, params: [@scope.full_name(attr_name)],
+                                               message: 'should be a valid reference path'
+        end
+
+        private
+
+        def invalid_character?(revision)
+          revision.nil? ||
+            revision.start_with?('-') ||
+            revision.end_with?('.') ||
+            GIT_REF_LENGTH.exclude?(revision.length) ||
+            INVALID_CHARS.match?(revision)
+        end
+      end
     end
   end
 end
@@ -65,3 +94,4 @@ Grape::Validations.register_validator(:git_sha, ::API::Helpers::CustomValidators
 Grape::Validations.register_validator(:absence, ::API::Helpers::CustomValidators::Absence)
 Grape::Validations.register_validator(:integer_none_any, ::API::Helpers::CustomValidators::IntegerNoneAny)
 Grape::Validations.register_validator(:array_none_any, ::API::Helpers::CustomValidators::ArrayNoneAny)
+Grape::Validations.register_validator(:git_ref, ::API::Helpers::CustomValidators::GitRef)