Commit a34666e6 authored by Robert Speicher's avatar Robert Speicher

Merge branch 'sh-reject-non-utf8-gpg' into 'master'

Reject GPG keys that have e-mail or names with non-valid UTF-8 encodings

Closes #47280

See merge request gitlab-org/gitlab-ce!19455
parents 5ef0e1c3 36a8f1a6
...@@ -54,7 +54,11 @@ module Gitlab ...@@ -54,7 +54,11 @@ module Gitlab
fingerprints = CurrentKeyChain.fingerprints_from_key(key) fingerprints = CurrentKeyChain.fingerprints_from_key(key)
GPGME::Key.find(:public, fingerprints).flat_map do |raw_key| GPGME::Key.find(:public, fingerprints).flat_map do |raw_key|
raw_key.uids.map { |uid| { name: uid.name, email: uid.email.downcase } } raw_key.uids.each_with_object([]) do |uid, arr|
name = uid.name.force_encoding('UTF-8')
email = uid.email.force_encoding('UTF-8')
arr << { name: name, email: email.downcase } if name.valid_encoding? && email.valid_encoding?
end
end end
end end
end end
......
...@@ -74,6 +74,19 @@ describe Gitlab::Gpg do ...@@ -74,6 +74,19 @@ describe Gitlab::Gpg do
email: 'nannie.bernhard@example.com' email: 'nannie.bernhard@example.com'
}]) }])
end end
it 'rejects non UTF-8 names and addresses' do
public_key = double(:key)
fingerprints = double(:fingerprints)
email = "\xEEch@test.com".force_encoding('ASCII-8BIT')
uid = double(:uid, name: 'Test User', email: email)
raw_key = double(:raw_key, uids: [uid])
allow(Gitlab::Gpg::CurrentKeyChain).to receive(:fingerprints_from_key).with(public_key).and_return(fingerprints)
allow(GPGME::Key).to receive(:find).with(:public, anything).and_return([raw_key])
user_infos = described_class.user_infos_from_key(public_key)
expect(user_infos).to eq([])
end
end end
describe '.current_home_dir' do describe '.current_home_dir' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment