Fix ambiguous routing issues by teaching router about reserved words

4345bb8c · Douwe Maan · 3cfcbcf3 · 4345bb8c · 4345bb8c · 4345bb8c
Commit 4345bb8c authored May 19, 2017 by Douwe Maan
29 changed files
--- a/app/controllers/projects/refs_controller.rb
+++ b/app/controllers/projects/refs_controller.rb
@@ -74,6 +74,6 @@ class Projects::RefsController < Projects::ApplicationController
  private
  def validate_ref_id
-    return not_found! if params[:id].present? && params[:id] !~ Gitlab::Regex.git_reference_regex
+    return not_found! if params[:id].present? && params[:id] !~ Gitlab::PathRegex.git_reference_regex
  end
 end
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -205,8 +205,8 @@ class Project < ActiveRecord::Base
    presence: true,
    dynamic_path: true,
    length: { maximum: 255 },
-    format: { with: Gitlab::Regex.project_path_regex,
+    format: { with: Gitlab::PathRegex.project_path_format_regex,
-              message: Gitlab::Regex.project_path_regex_message },
+              message: Gitlab::PathRegex.project_path_format_message },
    uniqueness: { scope: :namespace_id }
  validates :namespace, presence: true
@@ -380,11 +380,9 @@ class Project < ActiveRecord::Base
    end
    def reference_pattern
-      name_pattern = Gitlab::Regex::FULL_NAMESPACE_REGEX_STR
      %r{
-        ((?<namespace>#{name_pattern})\/)?
+        ((?<namespace>#{Gitlab::PathRegex::FULL_NAMESPACE_FORMAT_REGEX})\/)?
-        (?<project>#{name_pattern})
+        (?<project>#{Gitlab::PathRegex::PROJECT_PATH_FORMAT_REGEX})
      }x
    end

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -367,7 +367,7 @@ class User < ActiveRecord::Base
    def reference_pattern
      %r{
        #{Regexp.escape(reference_prefix)}
-        (?<user>#{Gitlab::Regex::FULL_NAMESPACE_REGEX_STR})
+        (?<user>#{Gitlab::PathRegex::FULL_NAMESPACE_FORMAT_REGEX})
      }x
    end

--- a/app/validators/dynamic_path_validator.rb
+++ b/app/validators/dynamic_path_validator.rb
@@ -3,212 +3,45 @@
 # Custom validator for GitLab path values.
 # These paths are assigned to `Namespace` (& `Group` as a subclass) & `Project`
 #
-# Values are checked for formatting and exclusion from a list of reserved path
+# Values are checked for formatting and exclusion from a list of illegal path
 # names.
 class DynamicPathValidator < ActiveModel::EachValidator
-  # All routes that appear on the top level must be listed here.
+  class << self
-  # This will make sure that groups cannot be created with these names
+    def valid_user_path?(path)
-  # as these routes would be masked by the paths already in place.
+      "#{path}/" =~ Gitlab::PathRegex.root_namespace_path_regex
-  #
+    end
-  # Example:
-  #   /api/api-project
-  #
-  #  the path `api` shouldn't be allowed because it would be masked by `api/*`
-  #
-  TOP_LEVEL_ROUTES = %w[
-    -
-    .well-known
-    abuse_reports
-    admin
-    all
-    api
-    assets
-    autocomplete
-    ci
-    dashboard
-    explore
-    files
-    groups
-    health_check
-    help
-    hooks
-    import
-    invites
-    issues
-    jwt
-    koding
-    member
-    merge_requests
-    new
-    notes
-    notification_settings
-    oauth
-    profile
-    projects
-    public
-    repository
-    robots.txt
-    s
-    search
-    sent_notifications
-    services
-    snippets
-    teams
-    u
-    unicorn_test
-    unsubscribes
-    uploads
-    users
-  ].freeze
-  # This list should contain all words following `/*namespace_id/:project_id` in
-  # routes that contain a second wildcard.
-  #
-  # Example:
-  #   /*namespace_id/:project_id/badges/*ref/build
-  #
-  # If `badges` was allowed as a project/group name, we would not be able to access the
-  # `badges` route for those projects:
-  #
-  # Consider a namespace with path `foo/bar` and a project called `badges`.
-  # The route to the build badge would then be `/foo/bar/badges/badges/master/build.svg`
-  #
-  # When accessing this path the route would be matched to the `badges` path
-  # with the following params:
-  #   - namespace_id: `foo`
-  #   - project_id: `bar`
-  #   - ref: `badges/master`
-  #
-  # Failing to find the project, this would result in a 404.
-  #
-  # By rejecting `badges` the router can _count_ on the fact that `badges` will
-  # be preceded by the `namespace/project`.
-  WILDCARD_ROUTES = %w[
-    badges
-    blame
-    blob
-    builds
-    commits
-    create
-    create_dir
-    edit
-    environments/folders
-    files
-    find_file
-    gitlab-lfs/objects
-    info/lfs/objects
-    new
-    preview
-    raw
-    refs
-    tree
-    update
-    wikis
-  ].freeze
-  # These are all the paths that follow `/groups/*id/ or `/groups/*group_id`
-  # We need to reject these because we have a `/groups/*id` page that is the same
-  # as the `/*id`.
-  #
-  # If we would allow a subgroup to be created with the name `activity` then
-  # this group would not be accessible through `/groups/parent/activity` since
-  # this would map to the activity-page of it's parent.
-  GROUP_ROUTES = %w[
-    activity
-    analytics
-    audit_events
-    avatar
-    edit
-    group_members
-    hooks
-    issues
-    labels
-    ldap
-    ldap_group_links
-    merge_requests
-    milestones
-    notification_setting
-    pipeline_quota
-    projects
-    subgroups
-  ].freeze
-  CHILD_ROUTES = (WILDCARD_ROUTES | GROUP_ROUTES).freeze
-  def self.without_reserved_wildcard_paths_regex
-    @without_reserved_wildcard_paths_regex ||= regex_excluding_child_paths(WILDCARD_ROUTES)
-  end
-  def self.without_reserved_child_paths_regex
-    @without_reserved_child_paths_regex ||= regex_excluding_child_paths(CHILD_ROUTES)
-  end
-  # This is used to validate a full path.
-  # It doesn't match paths
-  #   - Starting with one of the top level words
-  #   - Containing one of the child level words in the middle of a path
-  def self.regex_excluding_child_paths(child_routes)
-    reserved_top_level_words = Regexp.union(TOP_LEVEL_ROUTES)
-    not_starting_in_reserved_word = %r{\A/?(?!(#{reserved_top_level_words})(/|\z))}
-    reserved_child_level_words = Regexp.union(child_routes)
-    not_containing_reserved_child = %r{(?!\S+/(#{reserved_child_level_words})(/|\z))}
-    %r{#{not_starting_in_reserved_word}
-       #{not_containing_reserved_child}
-       #{Gitlab::Regex.full_namespace_regex}}x
-  end
-  def self.valid?(path)
-    path =~ Gitlab::Regex.full_namespace_regex && !full_path_reserved?(path)
-  end
-  def self.full_path_reserved?(path)
-    path = path.to_s.downcase
-    _project_part, namespace_parts = path.reverse.split('/', 2).map(&:reverse)
-    wildcard_reserved?(path) || child_reserved?(namespace_parts)
-  end
-  def self.child_reserved?(path)
-    return false unless path
-    path !~ without_reserved_child_paths_regex
-  end
-  def self.wildcard_reserved?(path)
+    def valid_group_path?(path)
-    return false unless path
+      "#{path}/" =~ Gitlab::PathRegex.full_namespace_path_regex
+    end
-    path !~ without_reserved_wildcard_paths_regex
+    def valid_project_path?(path)
+      "#{path}/" =~ Gitlab::PathRegex.full_project_path_regex
+    end
  end
-  delegate :full_path_reserved?,
+  def path_valid_for_record?(record, value)
-           :child_reserved?,
-           to: :class
-  def path_reserved_for_record?(record, value)
    full_path = record.respond_to?(:full_path) ? record.full_path : value
-    # For group paths the entire path cannot contain a reserved child word
+    return true unless full_path
-    # The path doesn't contain the last `_project_part` so we need to validate
-    # if the entire path.
+    case record
-    # Example:
+    when Project
-    #   A *group* with full path `parent/activity` is reserved.
+      self.class.valid_project_path?(full_path)
-    #   A *project* with full path `parent/activity` is allowed.
+    when Group
-    if record.is_a? Group
+      self.class.valid_group_path?(full_path)
-      child_reserved?(full_path)
+    else # User or non-Group Namespace
-    else
+      self.class.valid_user_path?(full_path)
-      full_path_reserved?(full_path)
    end
  end
  def validate_each(record, attribute, value)
-    unless value =~ Gitlab::Regex.namespace_regex
+    unless value =~ Gitlab::PathRegex.namespace_format_regex
-      record.errors.add(attribute, Gitlab::Regex.namespace_regex_message)
+      record.errors.add(attribute, Gitlab::PathRegex.namespace_format_message)
      return
    end
-    if path_reserved_for_record?(record, value)
+    unless path_valid_for_record?(record, value)
      record.errors.add(attribute, "#{value} is a reserved name")
    end
  end

--- a/app/views/devise/shared/_signup_box.html.haml
+++ b/app/views/devise/shared/_signup_box.html.haml
@@ -8,7 +8,7 @@
        = f.text_field :name, class: "form-control top", required: true, title: "This field is required."
      .username.form-group
        = f.label :username
-        = f.text_field :username, class: "form-control middle", pattern: Gitlab::Regex::NAMESPACE_REGEX_STR_JS, required: true, title: 'Please create a username with only alphanumeric characters.'
+        = f.text_field :username, class: "form-control middle", pattern: Gitlab::PathRegex::NAMESPACE_FORMAT_REGEX_JS, required: true, title: 'Please create a username with only alphanumeric characters.'
        %p.validation-error.hide Username is already taken.
        %p.validation-success.hide Username is available.
        %p.validation-pending.hide Checking username availability...

--- a/app/views/shared/_group_form.html.haml
+++ b/app/views/shared/_group_form.html.haml
@@ -15,7 +15,7 @@
          %strong= parent.full_path + '/'
      = f.text_field :path, placeholder: 'open-source', class: 'form-control',
        autofocus: local_assigns[:autofocus] || false, required: true,
-        pattern: Gitlab::Regex::NAMESPACE_REGEX_STR_JS,
+        pattern: Gitlab::PathRegex::NAMESPACE_FORMAT_REGEX_JS,
        title: 'Please choose a group path with no special characters.',
        "data-bind-in" => "#{'create_chat_team' if Gitlab.config.mattermost.enabled}"
      - if parent

--- a/config/routes.rb
+++ b/config/routes.rb
 require 'sidekiq/web'
 require 'sidekiq/cron/web'
-require 'constraints/group_url_constrainer'
 Rails.application.routes.draw do
  concern :access_requestable do
@@ -85,20 +84,6 @@ Rails.application.routes.draw do
  root to: "root#index"
-  # Since group show page is wildcard routing
-  # we want all other routing to be checked before matching this one
-  constraints(GroupUrlConstrainer.new) do
-    scope(path: '*id',
-          as: :group,
-          constraints: { id: Gitlab::Regex.namespace_route_regex, format: /(html|json|atom)/ },
-          controller: :groups) do
-      get '/', action: :show
-      patch '/', action: :update
-      put '/', action: :update
-      delete '/', action: :destroy
-    end
-  end
  draw :test if Rails.env.test?
  get '*unmatched_route', to: 'application#route_not_found'

--- a/config/routes/admin.rb
+++ b/config/routes/admin.rb
@@ -36,7 +36,7 @@ namespace :admin do
  scope(path: 'groups/*id',
        controller: :groups,
-        constraints: { id: Gitlab::Regex.namespace_route_regex, format: /(html|json|atom)/ }) do
+        constraints: { id: Gitlab::PathRegex.full_namespace_route_regex, format: /(html|json|atom)/ }) do
    scope(as: :group) do
      put :members_update
@@ -68,10 +68,12 @@ namespace :admin do
  resources :projects, only: [:index]
-  scope(path: 'projects/*namespace_id', as: :namespace) do
+  scope(path: 'projects/*namespace_id',
+        as: :namespace,
+        constraints: { namespace_id: Gitlab::PathRegex.full_namespace_route_regex }) do
    resources(:projects,
              path: '/',
-              constraints: { id: Gitlab::Regex.project_route_regex },
+              constraints: { id: Gitlab::PathRegex.project_route_regex },
              only: [:show]) do
      member do

--- a/config/routes/git_http.rb
+++ b/config/routes/git_http.rb
-scope(path: '*namespace_id/:project_id', constraints: { format: nil }) do
+scope(path: '*namespace_id/:project_id',
-  scope(constraints: { project_id: Gitlab::Regex.project_git_route_regex }, module: :projects) do
+      format: nil,
+      constraints: { namespace_id: Gitlab::PathRegex.full_namespace_route_regex }) do
+  scope(constraints: { project_id: Gitlab::PathRegex.project_git_route_regex }, module: :projects) do
    # Git HTTP clients ('git clone' etc.)
    scope(controller: :git_http) do
      get '/info/refs', action: :info_refs
@@ -26,7 +28,7 @@ scope(path: '*namespace_id/:project_id', constraints: { format: nil }) do
  end
  # Redirect /group/project/info/refs to /group/project.git/info/refs
-  scope(constraints: { project_id: Gitlab::Regex.project_route_regex }) do
+  scope(constraints: { project_id: Gitlab::PathRegex.project_route_regex }) do
    # Allow /info/refs, /info/refs?service=git-upload-pack, and
    # /info/refs?service=git-receive-pack, but nothing else.
    #

--- a/config/routes/group.rb
+++ b/config/routes/group.rb
+require 'constraints/group_url_constrainer'
 resources :groups, only: [:index, :new, :create]
 scope(path: 'groups/*group_id',
      module: :groups,
      as: :group,
-      constraints: { group_id: Gitlab::Regex.namespace_route_regex }) do
+      constraints: { group_id: Gitlab::PathRegex.full_namespace_route_regex }) do
  resources :group_members, only: [:index, :create, :update, :destroy], concerns: :access_requestable do
    post :resend_invite, on: :member
    delete :leave, on: :collection
@@ -25,7 +27,7 @@ end
 scope(path: 'groups/*id',
      controller: :groups,
-      constraints: { id: Gitlab::Regex.namespace_route_regex, format: /(html|json|atom)/ }) do
+      constraints: { id: Gitlab::PathRegex.full_namespace_route_regex, format: /(html|json|atom)/ }) do
  get :edit, as: :edit_group
  get :issues, as: :issues_group
  get :merge_requests, as: :merge_requests_group
@@ -34,3 +36,15 @@ scope(path: 'groups/*id',
  get :subgroups, as: :subgroups_group
  get '/', action: :show, as: :group_canonical
 end
+constraints(GroupUrlConstrainer.new) do
+  scope(path: '*id',
+        as: :group,
+        constraints: { id: Gitlab::PathRegex.full_namespace_route_regex, format: /(html|json|atom)/ },
+        controller: :groups) do
+    get '/', action: :show
+    patch '/', action: :update
+    put '/', action: :update
+    delete '/', action: :destroy
+  end
+end
--- a/config/routes/project.rb
+++ b/config/routes/project.rb
@@ -5,9 +5,24 @@ resources :projects, only: [:index, :new, :create]
 draw :git_http
 constraints(ProjectUrlConstrainer.new) do
-  scope(path: '*namespace_id', as: :namespace) do
+  # If the route has a wildcard segment, the segment has a regex constraint,
+  # the segment is potentially followed by _another_ wildcard segment, and
+  # the `format` option is not set to false, we need to specify that
+  # regex constraint _outside_ of `constraints: {}`.
+  #
+  # Otherwise, Rails will overwrite the constraint with `/.+?/`,
+  # which breaks some of our wildcard routes like `/blob/*id`
+  # and `/tree/*id` that depend on the negative lookahead inside
+  # `Gitlab::PathRegex.full_namespace_route_regex`, which helps the router
+  # determine whether a certain path segment is part of `*namespace_id`,
+  # `:project_id`, or `*id`.
+  #
+  # See https://github.com/rails/rails/blob/v4.2.8/actionpack/lib/action_dispatch/routing/mapper.rb#L155
+  scope(path: '*namespace_id',
+        as: :namespace,
+        namespace_id: Gitlab::PathRegex.full_namespace_route_regex) do
    scope(path: ':project_id',
-          constraints: { project_id: Gitlab::Regex.project_route_regex },
+          constraints: { project_id: Gitlab::PathRegex.project_route_regex },
          module: :projects,
          as: :project) do
@@ -314,7 +329,7 @@ constraints(ProjectUrlConstrainer.new) do
      resources :runner_projects, only: [:create, :destroy]
      resources :badges, only: [:index] do
        collection do
-          scope '*ref', constraints: { ref: Gitlab::Regex.git_reference_regex } do
+          scope '*ref', constraints: { ref: Gitlab::PathRegex.git_reference_regex } do
            constraints format: /svg/ do
              get :build
              get :coverage
@@ -337,7 +352,7 @@ constraints(ProjectUrlConstrainer.new) do
    resources(:projects,
              path: '/',
-              constraints: { id: Gitlab::Regex.project_route_regex },
+              constraints: { id: Gitlab::PathRegex.project_route_regex },
              only: [:edit, :show, :update, :destroy]) do
      member do
        put :transfer

--- a/config/routes/repository.rb
+++ b/config/routes/repository.rb
@@ -2,7 +2,7 @@
 resource :repository, only: [:create] do
  member do
-    get 'archive', constraints: { format: Gitlab::Regex.archive_formats_regex }
+    get 'archive', constraints: { format: Gitlab::PathRegex.archive_formats_regex }
  end
 end
@@ -24,7 +24,7 @@ scope format: false do
    member do
      # tree viewer logs
-      get 'logs_tree', constraints: { id: Gitlab::Regex.git_reference_regex }
+      get 'logs_tree', constraints: { id: Gitlab::PathRegex.git_reference_regex }
      # Directories with leading dots erroneously get rejected if git
      # ref regex used in constraints. Regex verification now done in controller.
      get 'logs_tree/*path', action: :logs_tree, as: :logs_file, format: false, constraints: {
@@ -34,7 +34,7 @@ scope format: false do
    end
  end
-  scope constraints: { id: Gitlab::Regex.git_reference_regex } do
+  scope constraints: { id: Gitlab::PathRegex.git_reference_regex } do
    resources :network, only: [:show]
    resources :graphs, only: [:show] do

--- a/config/routes/user.rb
+++ b/config/routes/user.rb
@@ -11,19 +11,7 @@ devise_scope :user do
  get '/users/almost_there' => 'confirmations#almost_there'
 end
-constraints(UserUrlConstrainer.new) do
+scope(constraints: { username: Gitlab::PathRegex.root_namespace_route_regex }) do
-  # Get all keys of user
-  get ':username.keys' => 'profiles/keys#get_keys', constraints: { username: Gitlab::Regex.namespace_route_regex }
-  scope(path: ':username',
-        as: :user,
-        constraints: { username: Gitlab::Regex.namespace_route_regex },
-        controller: :users) do
-    get '/', action: :show
-  end
-end
-scope(constraints: { username: Gitlab::Regex.namespace_route_regex }) do
  scope(path: 'users/:username',
        as: :user,
        controller: :users) do
@@ -46,3 +34,15 @@ scope(constraints: { username: Gitlab::Regex.namespace_route_regex }) do
  get '/u/:username/snippets', to: redirect('/users/%{username}/snippets')
  get '/u/:username/contributed', to: redirect('/users/%{username}/contributed')
 end
+constraints(UserUrlConstrainer.new) do
+  # Get all keys of user
+  get ':username.keys' => 'profiles/keys#get_keys', constraints: { username: Gitlab::PathRegex.root_namespace_route_regex }
+  scope(path: ':username',
+        as: :user,
+        constraints: { username: Gitlab::PathRegex.root_namespace_route_regex },
+        controller: :users) do
+    get '/', action: :show
+  end
+end
--- a/doc/user/group/subgroups/index.md
+++ b/doc/user/group/subgroups/index.md
@@ -71,9 +71,9 @@ structure.
 - You need to be an Owner of a group in order to be able to create
  a subgroup. For more information check the [permissions table][permissions].
 - For a list of words that are not allowed to be used as group names see the
-  [`dynamic_path_validator.rb` file][reserved] under the `TOP_LEVEL_ROUTES`, `WILDCARD_ROUTES` and `GROUP_ROUTES` lists:
+  [`dynamic_path_validator.rb` file][reserved] under the `TOP_LEVEL_ROUTES`, `PROJECT_WILDCARD_ROUTES` and `GROUP_ROUTES` lists:
  - `TOP_LEVEL_ROUTES`: are names that are reserved as usernames or top level groups
-  - `WILDCARD_ROUTES`: are names that are reserved for child groups or projects.
+  - `PROJECT_WILDCARD_ROUTES`: are names that are reserved for child groups or projects.
  - `GROUP_ROUTES`: are names that are reserved for all groups or projects.
 To create a subgroup:

--- a/lib/api/repositories.rb
+++ b/lib/api/repositories.rb
@@ -85,7 +85,7 @@ module API
        optional :sha, type: String, desc: 'The commit sha of the archive to be downloaded'
        optional :format, type: String, desc: 'The archive format'
      end
-      get ':id/repository/archive', requirements: { format: Gitlab::Regex.archive_formats_regex } do
+      get ':id/repository/archive', requirements: { format: Gitlab::PathRegex.archive_formats_regex } do
        begin
          send_git_archive user_project.repository, ref: params[:sha], format: params[:format]
        rescue

--- a/lib/api/v3/repositories.rb
+++ b/lib/api/v3/repositories.rb
@@ -72,7 +72,7 @@ module API
          optional :sha, type: String, desc: 'The commit sha of the archive to be downloaded'
          optional :format, type: String, desc: 'The archive format'
        end
-        get ':id/repository/archive', requirements: { format: Gitlab::Regex.archive_formats_regex } do
+        get ':id/repository/archive', requirements: { format: Gitlab::PathRegex.archive_formats_regex } do
          begin
            send_git_archive user_project.repository, ref: params[:sha], format: params[:format]
          rescue

--- a/lib/constraints/group_url_constrainer.rb
+++ b/lib/constraints/group_url_constrainer.rb
 class GroupUrlConstrainer
  def matches?(request)
-    id = request.params[:id]
+    full_path = request.params[:group_id] || request.params[:id]
-    return false unless DynamicPathValidator.valid?(id)
+    return false unless DynamicPathValidator.valid_group_path?(full_path)
-    Group.find_by_full_path(id, follow_redirects: request.get?).present?
+    Group.find_by_full_path(full_path, follow_redirects: request.get?).present?
  end
 end
--- a/lib/constraints/project_url_constrainer.rb
+++ b/lib/constraints/project_url_constrainer.rb
@@ -2,9 +2,9 @@ class ProjectUrlConstrainer
  def matches?(request)
    namespace_path = request.params[:namespace_id]
    project_path = request.params[:project_id] || request.params[:id]
-    full_path = namespace_path + '/' + project_path
+    full_path = [namespace_path, project_path].join('/')
-    return false unless DynamicPathValidator.valid?(full_path)
+    return false unless DynamicPathValidator.valid_project_path?(full_path)
    Project.find_by_full_path(full_path, follow_redirects: request.get?).present?
  end

--- a/lib/constraints/user_url_constrainer.rb
+++ b/lib/constraints/user_url_constrainer.rb
 class UserUrlConstrainer
  def matches?(request)
-    User.find_by_full_path(request.params[:username], follow_redirects: request.get?).present?
+    full_path = request.params[:username]
+    return false unless DynamicPathValidator.valid_user_path?(full_path)
+    User.find_by_full_path(full_path, follow_redirects: request.get?).present?
  end
 end
--- a/lib/gitlab/etag_caching/router.rb
+++ b/lib/gitlab/etag_caching/router.rb
@@ -10,7 +10,7 @@ module Gitlab
      #   - Ending in `issues/id`/realtime_changes` for the `issue_title` route
      USED_IN_ROUTES = %w[noteable issue notes issues realtime_changes
                          commit pipelines merge_requests new].freeze
-      RESERVED_WORDS = DynamicPathValidator::WILDCARD_ROUTES - USED_IN_ROUTES
+      RESERVED_WORDS = Gitlab::PathRegex::ILLEGAL_PROJECT_PATH_WORDS - USED_IN_ROUTES
      RESERVED_WORDS_REGEX = Regexp.union(*RESERVED_WORDS)
      ROUTES = [
        Gitlab::EtagCaching::Router::Route.new(

--- a/lib/gitlab/path_regex.rb
+++ b/lib/gitlab/path_regex.rb
+module Gitlab
+  module PathRegex
+    extend self
+    # All routes that appear on the top level must be listed here.
+    # This will make sure that groups cannot be created with these names
+    # as these routes would be masked by the paths already in place.
+    #
+    # Example:
+    #   /api/api-project
+    #
+    #  the path `api` shouldn't be allowed because it would be masked by `api/*`
+    #
+    TOP_LEVEL_ROUTES = %w[
+      -
+      .well-known
+      abuse_reports
+      admin
+      all
+      api
+      assets
+      autocomplete
+      ci
+      dashboard
+      explore
+      files
+      groups
+      health_check
+      help
+      hooks
+      import
+      invites
+      issues
+      jwt
+      koding
+      member
+      merge_requests
+      new
+      notes
+      notification_settings
+      oauth
+      profile
+      projects
+      public
+      repository
+      robots.txt
+      s
+      search
+      sent_notifications
+      services
+      snippets
+      teams
+      u
+      unicorn_test
+      unsubscribes
+      uploads
+      users
+    ].freeze
+    # This list should contain all words following `/*namespace_id/:project_id` in
+    # routes that contain a second wildcard.
+    #
+    # Example:
+    #   /*namespace_id/:project_id/badges/*ref/build
+    #
+    # If `badges` was allowed as a project/group name, we would not be able to access the
+    # `badges` route for those projects:
+    #
+    # Consider a namespace with path `foo/bar` and a project called `badges`.
+    # The route to the build badge would then be `/foo/bar/badges/badges/master/build.svg`
+    #
+    # When accessing this path the route would be matched to the `badges` path
+    # with the following params:
+    #   - namespace_id: `foo`
+    #   - project_id: `bar`
+    #   - ref: `badges/master`
+    #
+    # Failing to find the project, this would result in a 404.
+    #
+    # By rejecting `badges` the router can _count_ on the fact that `badges` will
+    # be preceded by the `namespace/project`.
+    PROJECT_WILDCARD_ROUTES = %w[
+      badges
+      blame
+      blob
+      builds
+      commits
+      create
+      create_dir
+      edit
+      environments/folders
+      files
+      find_file
+      gitlab-lfs/objects
+      info/lfs/objects
+      new
+      preview
+      raw
+      refs
+      tree
+      update
+      wikis
+    ].freeze
+    # These are all the paths that follow `/groups/*id/ or `/groups/*group_id`
+    # We need to reject these because we have a `/groups/*id` page that is the same
+    # as the `/*id`.
+    #
+    # If we would allow a subgroup to be created with the name `activity` then
+    # this group would not be accessible through `/groups/parent/activity` since
+    # this would map to the activity-page of its parent.
+    GROUP_ROUTES = %w[
+      activity
+      analytics
+      audit_events
+      avatar
+      edit
+      group_members
+      hooks
+      issues
+      labels
+      ldap
+      ldap_group_links
+      merge_requests
+      milestones
+      notification_setting
+      pipeline_quota
+      projects
+      subgroups
+    ].freeze
+    ILLEGAL_PROJECT_PATH_WORDS = PROJECT_WILDCARD_ROUTES
+    ILLEGAL_GROUP_PATH_WORDS = (PROJECT_WILDCARD_ROUTES | GROUP_ROUTES).freeze
+    # The namespace regex is used in JavaScript to validate usernames in the "Register" form. However, Javascript
+    # does not support the negative lookbehind assertion (?<!) that disallows usernames ending in `.git` and `.atom`.
+    # Since this is a non-trivial problem to solve in Javascript (heavily complicate the regex, modify view code to
+    # allow non-regex validations, etc), `NAMESPACE_FORMAT_REGEX_JS` serves as a Javascript-compatible version of
+    # `NAMESPACE_FORMAT_REGEX`, with the negative lookbehind assertion removed. This means that the client-side validation
+    # will pass for usernames ending in `.atom` and `.git`, but will be caught by the server-side validation.
+    PATH_REGEX_STR = '[a-zA-Z0-9_\.][a-zA-Z0-9_\-\.]*'.freeze
+    NAMESPACE_FORMAT_REGEX_JS = PATH_REGEX_STR + '[a-zA-Z0-9_\-]|[a-zA-Z0-9_]'.freeze
+    NO_SUFFIX_REGEX = /(?<!\.git|\.atom)/.freeze
+    NAMESPACE_FORMAT_REGEX = /(?:#{NAMESPACE_FORMAT_REGEX_JS})#{NO_SUFFIX_REGEX}/.freeze
+    PROJECT_PATH_FORMAT_REGEX = /(?:#{PATH_REGEX_STR})#{NO_SUFFIX_REGEX}/.freeze
+    FULL_NAMESPACE_FORMAT_REGEX = %r{(#{NAMESPACE_FORMAT_REGEX}/)*#{NAMESPACE_FORMAT_REGEX}}.freeze
+    def root_namespace_route_regex
+      @root_namespace_route_regex ||= begin
+        illegal_words = Regexp.new(Regexp.union(TOP_LEVEL_ROUTES).source, Regexp::IGNORECASE)
+        single_line_regexp %r{
+          (?!(#{illegal_words})/)
+          #{NAMESPACE_FORMAT_REGEX}
+        }x
+      end
+    end
+    def full_namespace_route_regex
+      @full_namespace_route_regex ||= begin
+        illegal_words = Regexp.new(Regexp.union(ILLEGAL_GROUP_PATH_WORDS).source, Regexp::IGNORECASE)
+        single_line_regexp %r{
+          #{root_namespace_route_regex}
+          (?:
+            /
+            (?!#{illegal_words}/)
+            #{NAMESPACE_FORMAT_REGEX}
+          )*
+        }x
+      end
+    end
+    def project_route_regex
+      @project_route_regex ||= begin
+        illegal_words = Regexp.new(Regexp.union(ILLEGAL_PROJECT_PATH_WORDS).source, Regexp::IGNORECASE)
+        single_line_regexp %r{
+          (?!(#{illegal_words})/)
+          #{PROJECT_PATH_FORMAT_REGEX}
+        }x
+      end
+    end
+    def project_git_route_regex
+      @project_git_route_regex ||= /#{project_route_regex}\.git/.freeze
+    end
+    def root_namespace_path_regex
+      @root_namespace_path_regex ||= %r{\A#{root_namespace_route_regex}/\z}
+    end
+    def full_namespace_path_regex
+      @full_namespace_path_regex ||= %r{\A#{full_namespace_route_regex}/\z}
+    end
+    def project_path_regex
+      @project_path_regex ||= %r{\A#{project_route_regex}/\z}
+    end
+    def full_project_path_regex
+      @full_project_path_regex ||= %r{\A#{full_namespace_route_regex}/#{project_route_regex}/\z}
+    end
+    def full_namespace_format_regex
+      @namespace_format_regex ||= /A#{FULL_NAMESPACE_FORMAT_REGEX}\z/.freeze
+    end
+    def namespace_format_regex
+      @namespace_format_regex ||= /\A#{NAMESPACE_FORMAT_REGEX}\z/.freeze
+    end
+    def namespace_format_message
+      "can contain only letters, digits, '_', '-' and '.'. " \
+      "Cannot start with '-' or end in '.', '.git' or '.atom'." \
+    end
+    def project_path_format_regex
+      @project_path_format_regex ||= /\A#{PROJECT_PATH_FORMAT_REGEX}\z/.freeze
+    end
+    def project_path_format_message
+      "can contain only letters, digits, '_', '-' and '.'. " \
+      "Cannot start with '-', end in '.git' or end in '.atom'" \
+    end
+    def archive_formats_regex
+      #                           |zip|tar|    tar.gz    |         tar.bz2         |
+      @archive_formats_regex ||= /(zip|tar|tar\.gz|tgz|gz|tar\.bz2|tbz|tbz2|tb2|bz2)/.freeze
+    end
+    def git_reference_regex
+      # Valid git ref regex, see:
+      # https://www.kernel.org/pub/software/scm/git/docs/git-check-ref-format.html
+      @git_reference_regex ||= single_line_regexp %r{
+        (?!
+           (?# doesn't begins with)
+           \/|                    (?# rule #6)
+           (?# doesn't contain)
+           .*(?:
+              [\/.]\.|            (?# rule #1,3)
+              \/\/|               (?# rule #6)
+              @\{|                (?# rule #8)
+              \\                  (?# rule #9)
+           )
+        )
+        [^\000-\040\177~^:?*\[]+  (?# rule #4-5)
+        (?# doesn't end with)
+        (?<!\.lock)               (?# rule #1)
+        (?<![\/.])                (?# rule #6-7)
+      }x
+    end
+    private
+    def single_line_regexp(regex)
+      # Turns a multiline extended regexp into a single line one,
+      # beacuse `rake routes` breaks on multiline regexes.
+      Regexp.new(regex.source.gsub(/\(\?#.+?\)/ , '').gsub(/\s*/, ''), regex.options ^ Regexp::EXTENDED).freeze
+    end
+  end
+end
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -2,39 +2,6 @@ module Gitlab
  module Regex
    extend self
-    # The namespace regex is used in Javascript to validate usernames in the "Register" form. However, Javascript
-    # does not support the negative lookbehind assertion (?<!) that disallows usernames ending in `.git` and `.atom`.
-    # Since this is a non-trivial problem to solve in Javascript (heavily complicate the regex, modify view code to
-    # allow non-regex validatiions, etc), `NAMESPACE_REGEX_STR_JS` serves as a Javascript-compatible version of
-    # `NAMESPACE_REGEX_STR`, with the negative lookbehind assertion removed. This means that the client-side validation
-    # will pass for usernames ending in `.atom` and `.git`, but will be caught by the server-side validation.
-    PATH_REGEX_STR = '[a-zA-Z0-9_\.][a-zA-Z0-9_\-\.]*'.freeze
-    NAMESPACE_REGEX_STR_JS = PATH_REGEX_STR + '[a-zA-Z0-9_\-]|[a-zA-Z0-9_]'.freeze
-    NO_SUFFIX_REGEX_STR = '(?<!\.git|\.atom)'.freeze
-    NAMESPACE_REGEX_STR = "(?:#{NAMESPACE_REGEX_STR_JS})#{NO_SUFFIX_REGEX_STR}".freeze
-    PROJECT_REGEX_STR = "(?:#{PATH_REGEX_STR})#{NO_SUFFIX_REGEX_STR}".freeze
-    # Same as NAMESPACE_REGEX_STR but allows `/` in the path.
-    # So `group/subgroup` will match this regex but not NAMESPACE_REGEX_STR
-    FULL_NAMESPACE_REGEX_STR = "(?:#{NAMESPACE_REGEX_STR}/)*#{NAMESPACE_REGEX_STR}".freeze
-    def namespace_regex
-      @namespace_regex ||= /\A#{NAMESPACE_REGEX_STR}\z/.freeze
-    end
-    def full_namespace_regex
-      @full_namespace_regex ||= %r{\A#{FULL_NAMESPACE_REGEX_STR}\z}
-    end
-    def namespace_route_regex
-      @namespace_route_regex ||= /#{NAMESPACE_REGEX_STR}/.freeze
-    end
-    def namespace_regex_message
-      "can contain only letters, digits, '_', '-' and '.'. " \
-      "Cannot start with '-' or end in '.', '.git' or '.atom'." \
-    end
    def namespace_name_regex
      @namespace_name_regex ||= /\A[\p{Alnum}\p{Pd}_\. ]*\z/.freeze
    end
@@ -52,23 +19,6 @@ module Gitlab
      "It must start with letter, digit, emoji or '_'."
    end
-    def project_path_regex
-      @project_path_regex ||= /\A#{PROJECT_REGEX_STR}\z/.freeze
-    end
-    def project_route_regex
-      @project_route_regex ||= /#{PROJECT_REGEX_STR}/.freeze
-    end
-    def project_git_route_regex
-      @project_route_git_regex ||= /#{PATH_REGEX_STR}\.git/.freeze
-    end
-    def project_path_regex_message
-      "can contain only letters, digits, '_', '-' and '.'. " \
-      "Cannot start with '-', end in '.git' or end in '.atom'" \
-    end
    def file_name_regex
      @file_name_regex ||= /\A[[[:alnum:]]_\-\.\@\+]*\z/.freeze
    end
@@ -77,36 +27,8 @@ module Gitlab
      "can contain only letters, digits, '_', '-', '@', '+' and '.'."
    end
-    def archive_formats_regex
-      #                           |zip|tar|    tar.gz    |         tar.bz2         |
-      @archive_formats_regex ||= /(zip|tar|tar\.gz|tgz|gz|tar\.bz2|tbz|tbz2|tb2|bz2)/.freeze
-    end
-    def git_reference_regex
-      # Valid git ref regex, see:
-      # https://www.kernel.org/pub/software/scm/git/docs/git-check-ref-format.html
-      @git_reference_regex ||= %r{
-        (?!
-           (?# doesn't begins with)
-           \/|                    (?# rule #6)
-           (?# doesn't contain)
-           .*(?:
-              [\/.]\.|            (?# rule #1,3)
-              \/\/|               (?# rule #6)
-              @\{|                (?# rule #8)
-              \\                  (?# rule #9)
-           )
-        )
-        [^\000-\040\177~^:?*\[]+  (?# rule #4-5)
-        (?# doesn't end with)
-        (?<!\.lock)               (?# rule #1)
-        (?<![\/.])                (?# rule #6-7)
-      }x.freeze
-    end
    def container_registry_reference_regex
-      git_reference_regex
+      Gitlab::PathRegex.git_reference_regex
    end
    ##

--- a/spec/lib/gitlab/path_regex_spec.rb
+++ b/spec/lib/gitlab/path_regex_spec.rb
--- a/spec/lib/gitlab/regex_spec.rb
+++ b/spec/lib/gitlab/regex_spec.rb
@@ -2,18 +2,6 @@
 require 'spec_helper'
 describe Gitlab::Regex, lib: true do
-  describe '.project_path_regex' do
-    subject { described_class.project_path_regex }
-    it { is_expected.to match('gitlab-ce') }
-    it { is_expected.to match('gitlab_git') }
-    it { is_expected.to match('_underscore.js') }
-    it { is_expected.to match('100px.com') }
-    it { is_expected.not_to match('?gitlab') }
-    it { is_expected.not_to match('git lab') }
-    it { is_expected.not_to match('gitlab.git') }
-  end
  describe '.project_name_regex' do
    subject { described_class.project_name_regex }
@@ -44,16 +32,4 @@ describe Gitlab::Regex, lib: true do
    it { is_expected.not_to match('9foo') }
    it { is_expected.not_to match('foo-') }
  end
-  describe '.full_namespace_regex' do
-    subject { described_class.full_namespace_regex }
-    it { is_expected.to match('gitlab.org') }
-    it { is_expected.to match('gitlab.org/gitlab-git') }
-    it { is_expected.not_to match('gitlab.org.') }
-    it { is_expected.not_to match('gitlab.org/') }
-    it { is_expected.not_to match('/gitlab.org') }
-    it { is_expected.not_to match('gitlab.git') }
-    it { is_expected.not_to match('gitlab git') }
-  end
 end
--- a/spec/models/namespace_spec.rb
+++ b/spec/models/namespace_spec.rb
@@ -37,7 +37,7 @@ describe Namespace, models: true do
        it 'rejects nested paths' do
          parent = create(:group, :nested, path: 'environments')
-          namespace = build(:project, path: 'folders', namespace: parent)
+          namespace = build(:group, path: 'folders', parent: parent)
          expect(namespace).not_to be_valid
        end
@@ -238,8 +238,8 @@ describe Namespace, models: true do
    end
    context 'in sub-groups' do
-      let(:parent) { create(:namespace, path: 'parent') }
+      let(:parent) { create(:group, path: 'parent') }
-      let(:child) { create(:namespace, parent: parent, path: 'child') }
+      let(:child) { create(:group, parent: parent, path: 'child') }
      let!(:project) { create(:project_empty_repo, namespace: child) }
      let(:path_in_dir) { File.join(repository_storage_path, 'parent', 'child') }
      let(:deleted_path) { File.join('parent', "child+#{child.id}+deleted") }

--- a/spec/models/project_services/kubernetes_service_spec.rb
+++ b/spec/models/project_services/kubernetes_service_spec.rb
@@ -100,7 +100,7 @@ describe KubernetesService, models: true, caching: true do
      it 'sets the namespace to the default' do
        expect(kube_namespace).not_to be_nil
-        expect(kube_namespace[:placeholder]).to match(/\A#{Gitlab::Regex::PATH_REGEX_STR}-\d+\z/)
+        expect(kube_namespace[:placeholder]).to match(/\A#{Gitlab::PathRegex::PATH_REGEX_STR}-\d+\z/)
      end
    end
  end
@@ -187,7 +187,7 @@ describe KubernetesService, models: true, caching: true do
        kube_namespace = subject.predefined_variables.find { |h| h[:key] == 'KUBE_NAMESPACE' }
        expect(kube_namespace).not_to be_nil
-        expect(kube_namespace[:value]).to match(/\A#{Gitlab::Regex::PATH_REGEX_STR}-\d+\z/)
+        expect(kube_namespace[:value]).to match(/\A#{Gitlab::PathRegex::PATH_REGEX_STR}-\d+\z/)
      end
    end
  end

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -287,7 +287,7 @@ describe API::Users do
      expect(json_response['message']['projects_limit']).
        to eq(['must be greater than or equal to 0'])
      expect(json_response['message']['username']).
-        to eq([Gitlab::Regex.namespace_regex_message])
+        to eq([Gitlab::PathRegex.namespace_format_message])
    end
    it "is not available for non admin users" do
@@ -459,7 +459,7 @@ describe API::Users do
      expect(json_response['message']['projects_limit']).
        to eq(['must be greater than or equal to 0'])
      expect(json_response['message']['username']).
-        to eq([Gitlab::Regex.namespace_regex_message])
+        to eq([Gitlab::PathRegex.namespace_format_message])
    end
    it 'returns 400 if provider is missing for identity update' do

--- a/spec/routing/project_routing_spec.rb
+++ b/spec/routing/project_routing_spec.rb
@@ -462,6 +462,8 @@ describe 'project routing' do
      expect(get('/gitlab/gitlabhq/blob/master/app/models/compare.rb')).to route_to('projects/blob#show', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'master/app/models/compare.rb')
      expect(get('/gitlab/gitlabhq/blob/master/app/models/diff.js')).to route_to('projects/blob#show', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'master/app/models/diff.js')
      expect(get('/gitlab/gitlabhq/blob/master/files.scss')).to route_to('projects/blob#show', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'master/files.scss')
+      expect(get('/gitlab/gitlabhq/blob/master/blob/index.js')).to route_to('projects/blob#show', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'master/blob/index.js')
+      expect(get('/gitlab/gitlabhq/blob/blob/master/blob/index.js')).to route_to('projects/blob#show', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'blob/master/blob/index.js')
    end
  end
@@ -470,6 +472,8 @@ describe 'project routing' do
    it 'to #show' do
      expect(get('/gitlab/gitlabhq/tree/master/app/models/project.rb')).to route_to('projects/tree#show', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'master/app/models/project.rb')
      expect(get('/gitlab/gitlabhq/tree/master/files.scss')).to route_to('projects/tree#show', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'master/files.scss')
+      expect(get('/gitlab/gitlabhq/tree/master/tree/files')).to route_to('projects/tree#show', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'master/tree/files')
+      expect(get('/gitlab/gitlabhq/tree/tree/master/tree/files')).to route_to('projects/tree#show', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'tree/master/tree/files')
    end
  end

--- a/spec/validators/dynamic_path_validator_spec.rb
+++ b/spec/validators/dynamic_path_validator_spec.rb
@@ -3,246 +3,46 @@ require 'spec_helper'
 describe DynamicPathValidator do
  let(:validator) { described_class.new(attributes: [:path]) }
-  # Pass in a full path to remove the format segment:
+  describe '#path_valid_for_record?' do
-  # `/ci/lint(.:format)` -> `/ci/lint`
+    context 'for project' do
-  def without_format(path)
+      it 'calls valid_project_path?' do
-    path.split('(', 2)[0]
+        project = build(:project, path: 'activity')
-  end
-  # Pass in a full path and get the last segment before a wildcard
-  # That's not a parameter
-  # `/*namespace_id/:project_id/builds/artifacts/*ref_name_and_path`
-  #    -> 'builds/artifacts'
-  def path_before_wildcard(path)
-    path = path.gsub(STARTING_WITH_NAMESPACE, "")
-    path_segments = path.split('/').reject(&:empty?)
-    wildcard_index = path_segments.index { |segment| parameter?(segment) }
-    segments_before_wildcard = path_segments[0..wildcard_index - 1]
-    segments_before_wildcard.join('/')
-  end
-  def parameter?(segment)
-    segment =~ /[*:]/
-  end
-  # If the path is reserved. Then no conflicting paths can# be created for any
-  # route using this reserved word.
-  #
-  # Both `builds/artifacts` & `build` are covered by reserving the word
-  # `build`
-  def wildcards_include?(path)
-    described_class::WILDCARD_ROUTES.include?(path) ||
-      described_class::WILDCARD_ROUTES.include?(path.split('/').first)
-  end
-  def failure_message(missing_words, constant_name, migration_helper)
-    missing_words = Array(missing_words)
-    <<-MSG
-      Found new routes that could cause conflicts with existing namespaced routes
-      for groups or projects.
-      Add <#{missing_words.join(', ')}> to `DynamicPathValidator::#{constant_name}
+        expect(described_class).to receive(:valid_project_path?).with(project.full_path).and_call_original
-      to make sure no projects or namespaces can be created with those paths.
-      To rename any existing records with those paths you can use the
+        expect(validator.path_valid_for_record?(project, 'activity')).to be_truthy
-      `Gitlab::Database::RenameReservedpathsMigration::<VERSION>.#{migration_helper}`
-      migration helper.
-      Make sure to make a note of the renamed records in the release blog post.
-    MSG
-  end
-  let(:all_routes) do
-    Rails.application.routes.routes.routes.
-      map { |r| r.path.spec.to_s }
-  end
-  let(:routes_without_format) { all_routes.map { |path| without_format(path) } }
-  # Routes not starting with `/:` or `/*`
-  # all routes not starting with a param
-  let(:routes_not_starting_in_wildcard) { routes_without_format.select { |p| p !~ %r{^/[:*]} } }
-  let(:top_level_words) do
-    routes_not_starting_in_wildcard.map do |route|
-      route.split('/')[1]
-    end.compact.uniq
-  end
-  # All routes that start with a namespaced path, that have 1 or more
-  # path-segments before having another wildcard parameter.
-  # - Starting with paths:
-  #   - `/*namespace_id/:project_id/`
-  #   - `/*namespace_id/:id/`
-  # - Followed by one or more path-parts not starting with `:` or `*`
-  # - Followed by a path-part that includes a wildcard parameter `*`
-  # At the time of writing these routes match: http://rubular.com/r/Rv2pDE5Dvw
-  STARTING_WITH_NAMESPACE = %r{^/\*namespace_id/:(project_)?id}
-  NON_PARAM_PARTS = %r{[^:*][a-z\-_/]*}
-  ANY_OTHER_PATH_PART = %r{[a-z\-_/:]*}
-  WILDCARD_SEGMENT = %r{\*}
-  let(:namespaced_wildcard_routes) do
-    routes_without_format.select do |p|
-      p =~ %r{#{STARTING_WITH_NAMESPACE}/#{NON_PARAM_PARTS}/#{ANY_OTHER_PATH_PART}#{WILDCARD_SEGMENT}}
-    end
-  end
-  # This will return all paths that are used in a namespaced route
-  # before another wildcard path:
-  #
-  # /*namespace_id/:project_id/builds/artifacts/*ref_name_and_path
-  # /*namespace_id/:project_id/info/lfs/objects/*oid
-  # /*namespace_id/:project_id/commits/*id
-  # /*namespace_id/:project_id/builds/:build_id/artifacts/file/*path
-  # -> ['builds/artifacts', 'info/lfs/objects', 'commits', 'artifacts/file']
-  let(:all_wildcard_paths) do
-    namespaced_wildcard_routes.map do |route|
-      path_before_wildcard(route)
-    end.uniq
-  end
-  STARTING_WITH_GROUP = %r{^/groups/\*(group_)?id/}
-  let(:group_routes) do
-    routes_without_format.select do |path|
-      path =~ STARTING_WITH_GROUP
-    end
-  end
-  let(:paths_after_group_id) do
-    group_routes.map do |route|
-      route.gsub(STARTING_WITH_GROUP, '').split('/').first
-    end.uniq
-  end
-  describe 'TOP_LEVEL_ROUTES' do
-    it 'includes all the top level namespaces' do
-      failure_block = lambda do
-        missing_words = top_level_words - described_class::TOP_LEVEL_ROUTES
-        failure_message(missing_words, 'TOP_LEVEL_ROUTES', 'rename_root_paths')
      end
-      expect(described_class::TOP_LEVEL_ROUTES)
-        .to include(*top_level_words), failure_block
    end
-  end
-  describe 'GROUP_ROUTES' do
+    context 'for group' do
-    it "don't contain a second wildcard" do
+      it 'calls valid_group_path?' do
-      failure_block = lambda do
+        group = build(:group, :nested, path: 'activity')
-        missing_words = paths_after_group_id - described_class::GROUP_ROUTES
-        failure_message(missing_words, 'GROUP_ROUTES', 'rename_child_paths')
-      end
-      expect(described_class::GROUP_ROUTES)
+        expect(described_class).to receive(:valid_group_path?).with(group.full_path).and_call_original
-        .to include(*paths_after_group_id), failure_block
-    end
-  end
-  describe 'WILDCARD_ROUTES' do
+        expect(validator.path_valid_for_record?(group, 'activity')).to be_falsey
-    it 'includes all paths that can be used after a namespace/project path' do
-      aggregate_failures do
-        all_wildcard_paths.each do |path|
-          expect(wildcards_include?(path))
-            .to be(true), failure_message(path, 'WILDCARD_ROUTES', 'rename_wildcard_paths')
-        end
      end
    end
-  end
-  describe '.without_reserved_wildcard_paths_regex' do
+    context 'for user' do
-    subject { described_class.without_reserved_wildcard_paths_regex }
+      it 'calls valid_user_path?' do
+        user = build(:user, username: 'activity')
-    it 'rejects paths starting with a reserved top level' do
+        expect(described_class).to receive(:valid_user_path?).with(user.full_path).and_call_original
-      expect(subject).not_to match('dashboard/hello/world')
-      expect(subject).not_to match('dashboard')
-    end
-    it 'matches valid paths with a toplevel word in a different place' do
+        expect(validator.path_valid_for_record?(user, 'activity')).to be_truthy
-      expect(subject).to match('parent/dashboard/project-path')
+      end
-    end
-    it 'rejects paths containing a wildcard reserved word' do
-      expect(subject).not_to match('hello/edit')
-      expect(subject).not_to match('hello/edit/in-the-middle')
-      expect(subject).not_to match('foo/bar1/refs/master/logs_tree')
-    end
-    it 'matches valid paths' do
-      expect(subject).to match('parent/child/project-path')
-    end
-  end
-  describe '.regex_excluding_child_paths' do
-    let(:subject) { described_class.without_reserved_child_paths_regex }
-    it 'rejects paths containing a child reserved word' do
-      expect(subject).not_to match('hello/group_members')
-      expect(subject).not_to match('hello/activity/in-the-middle')
-      expect(subject).not_to match('foo/bar1/refs/master/logs_tree')
-    end
-    it 'allows a child path on the top level' do
-      expect(subject).to match('activity/foo')
-      expect(subject).to match('avatar')
-    end
-  end
-  describe ".valid?" do
-    it 'is not case sensitive' do
-      expect(described_class.valid?("Users")).to be_falsey
-    end
-    it "isn't valid when the top level is reserved" do
-      test_path = 'u/should-be-a/reserved-word'
-      expect(described_class.valid?(test_path)).to be_falsey
-    end
-    it "isn't valid if any of the path segments is reserved" do
-      test_path = 'the-wildcard/wikis/is-not-allowed'
-      expect(described_class.valid?(test_path)).to be_falsey
-    end
-    it "is valid if the path doesn't contain reserved words" do
-      test_path = 'there-are/no-wildcards/in-this-path'
-      expect(described_class.valid?(test_path)).to be_truthy
-    end
-    it 'allows allows a child path on the last spot' do
-      test_path = 'there/can-be-a/project-called/labels'
-      expect(described_class.valid?(test_path)).to be_truthy
-    end
-    it 'rejects a child path somewhere else' do
-      test_path = 'there/can-be-no/labels/group'
-      expect(described_class.valid?(test_path)).to be_falsey
    end
-    it 'rejects paths that are in an incorrect format' do
+    context 'for user namespace' do
-      test_path = 'incorrect/format.git'
+      it 'calls valid_user_path?' do
+        user = create(:user, username: 'activity')
-      expect(described_class.valid?(test_path)).to be_falsey
+        namespace = user.namespace
-    end
-  end
-  describe '#path_reserved_for_record?' do
+        expect(described_class).to receive(:valid_user_path?).with(namespace.full_path).and_call_original
-    it 'reserves a sub-group named activity' do
-      group = build(:group, :nested, path: 'activity')
-      expect(validator.path_reserved_for_record?(group, 'activity')).to be_truthy
+        expect(validator.path_valid_for_record?(namespace, 'activity')).to be_truthy
-    end
+      end
-    it "doesn't reserve a project called activity" do
-      project = build(:project, path: 'activity')
-      expect(validator.path_reserved_for_record?(project, 'activity')).to be_falsey
    end
  end
@@ -252,7 +52,7 @@ describe DynamicPathValidator do
      validator.validate_each(group, :path, "Path with spaces, and comma's!")
-      expect(group.errors[:path]).to include(Gitlab::Regex.namespace_regex_message)
+      expect(group.errors[:path]).to include(Gitlab::PathRegex.namespace_format_message)
    end
    it 'adds a message when the path is not in the correct format' do