From 0169dd7f6f82bc91635a3d8ddfa8bd4b6a98f2eb Mon Sep 17 00:00:00 2001
From: Tiago Botelho <tiagonbotelho@hotmail.com>
Date: Fri, 15 Sep 2017 15:28:41 +0100
Subject: Fixes project denial of service via gitmodules using Extended ASCII.

---
 app/helpers/submodule_helper.rb                              | 12 ++++++++----
 .../34259-project-denial-of-service-via-gitmodules-fix.yml   |  5 +++++
 spec/helpers/submodule_helper_spec.rb                        |  6 ++++++
 3 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/unreleased/34259-project-denial-of-service-via-gitmodules-fix.yml

diff --git a/app/helpers/submodule_helper.rb b/app/helpers/submodule_helper.rb
index 88f7702db1e..40d69e30188 100644
--- a/app/helpers/submodule_helper.rb
+++ b/app/helpers/submodule_helper.rb
@@ -87,10 +87,14 @@ module SubmoduleHelper
       namespace = @project.namespace.full_path
     end
 
-    [
-      namespace_project_path(namespace, base),
-      namespace_project_tree_path(namespace, base, commit)
-    ]
+    begin
+      [
+        namespace_project_path(namespace, base),
+        namespace_project_tree_path(namespace, base, commit)
+      ]
+    rescue ActionController::UrlGenerationError
+      [nil, nil]
+    end
   end
 
   def sanitize_submodule_url(url)
diff --git a/changelogs/unreleased/34259-project-denial-of-service-via-gitmodules-fix.yml b/changelogs/unreleased/34259-project-denial-of-service-via-gitmodules-fix.yml
new file mode 100644
index 00000000000..8260f7fa4b2
--- /dev/null
+++ b/changelogs/unreleased/34259-project-denial-of-service-via-gitmodules-fix.yml
@@ -0,0 +1,5 @@
+---
+title: Fixes project denial of service via gitmodules using Extended ASCII.
+merge_request: 14301
+author:
+type: fixed
diff --git a/spec/helpers/submodule_helper_spec.rb b/spec/helpers/submodule_helper_spec.rb
index c4f4e0d21dc..5a2e4b34069 100644
--- a/spec/helpers/submodule_helper_spec.rb
+++ b/spec/helpers/submodule_helper_spec.rb
@@ -147,6 +147,12 @@ describe SubmoduleHelper do
         expect(helper.submodule_links(submodule_item)).to eq([nil, nil])
       end
 
+      it 'sanitizes invalid URL with extended ASCII' do
+        stub_url('é')
+
+        expect(helper.submodule_links(submodule_item)).to eq([nil, nil])
+      end
+
       it 'returns original' do
         stub_url('http://mygitserver.com/gitlab-org/gitlab-ce')
         expect(submodule_links(submodule_item)).to eq([repo.submodule_url_for, nil])
-- 
cgit v1.2.1