diff options
Diffstat (limited to 'lib/gitlab/middleware/handle_malformed_strings.rb')
-rw-r--r-- | lib/gitlab/middleware/handle_malformed_strings.rb | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/lib/gitlab/middleware/handle_malformed_strings.rb b/lib/gitlab/middleware/handle_malformed_strings.rb new file mode 100644 index 00000000000..84f7e2e1b14 --- /dev/null +++ b/lib/gitlab/middleware/handle_malformed_strings.rb @@ -0,0 +1,103 @@ +# frozen_string_literal: true + +module Gitlab + module Middleware + # There is no valid reason for a request to contain a malformed string + # so just return HTTP 400 (Bad Request) if we receive one + class HandleMalformedStrings + include ActionController::HttpAuthentication::Basic + + NULL_BYTE_REGEX = Regexp.new(Regexp.escape("\u0000")).freeze + + attr_reader :app + + def initialize(app) + @app = app + end + + def call(env) + return [400, { 'Content-Type' => 'text/plain' }, ['Bad Request']] if request_contains_malformed_string?(env) + + app.call(env) + end + + private + + def request_contains_malformed_string?(env) + return false if ENV['DISABLE_REQUEST_VALIDATION'] == '1' + + # Duplicate the env, so it is not modified when accessing the parameters + # https://github.com/rails/rails/blob/34991a6ae2fc68347c01ea7382fa89004159e019/actionpack/lib/action_dispatch/http/parameters.rb#L59 + # The modification causes problems with our multipart middleware + request = ActionDispatch::Request.new(env.dup) + + return true if malformed_path?(request.path) + return true if credentials_malformed?(request) + + request.params.values.any? do |value| + param_has_null_byte?(value) + end + rescue ActionController::BadRequest + # If we can't build an ActionDispatch::Request something's wrong + # This would also happen if `#params` contains invalid UTF-8 + # in this case we'll return a 400 + # + true + end + + def malformed_path?(path) + string_malformed?(Rack::Utils.unescape(path)) + rescue ArgumentError + # Rack::Utils.unescape raised this, path is malformed. + true + end + + def credentials_malformed?(request) + credentials = if has_basic_credentials?(request) + decode_credentials(request).presence + else + request.authorization.presence + end + + return false unless credentials + + string_malformed?(credentials) + end + + def param_has_null_byte?(value, depth = 0) + # Guard against possible attack sending large amounts of nested params + # Should be safe as deeply nested params are highly uncommon. + return false if depth > 2 + + depth += 1 + + if value.respond_to?(:match) + string_malformed?(value) + elsif value.respond_to?(:values) + value.values.any? do |hash_value| + param_has_null_byte?(hash_value, depth) + end + elsif value.is_a?(Array) + value.any? do |array_value| + param_has_null_byte?(array_value, depth) + end + else + false + end + end + + def string_malformed?(string) + # We're using match rather than include, because that will raise an ArgumentError + # when the string contains invalid UTF8 + # + # We try to encode the string from ASCII-8BIT to UTF8. If we failed to do + # so for certain characters in the string, those chars are probably incomplete + # multibyte characters. + string.encode(Encoding::UTF_8).match?(NULL_BYTE_REGEX) + rescue ArgumentError, Encoding::UndefinedConversionError + # If we're here, we caught a malformed string. Return true + true + end + end + end +end |