Merge branch 'security-fix-open-redirect-vulnerability-14-10' into '14-10-stable-ee'

Fix open redirect vulnerability

See merge request gitlab-org/security/gitlab!2540

lib/gitlab/jira/dvcs.rb

@@ -38,7 +38,8 @@ module Gitlab
       # @param [String] namespace
       def self.restore_full_path(namespace:, project:)
         if project.include?(ENCODED_SLASH)
-          project.gsub(ENCODED_SLASH, SLASH)
+          # Replace multiple slashes with single ones to make sure the redirect stays on the same host
+          project.gsub(ENCODED_SLASH, SLASH).gsub(%r{\/{2,}}, '/')
         else
           "#{namespace}/#{project}"
         end

spec/requests/jira_routing_spec.rb

@@ -25,27 +25,49 @@ RSpec.describe 'Jira referenced paths', type: :request do
     expect(response).to redirect_to(redirect_path)
   end
 
-  context 'with encoded subgroup path' do
-    where(:jira_path, :redirect_path) do
-      '/group/group@sub_group@sub_group_project'                | '/group/sub_group/sub_group_project'
-      '/group@sub_group/group@sub_group@sub_group_project'      | '/group/sub_group/sub_group_project'
-      '/group/group@sub_group@sub_group_project/commit/1234567' | '/group/sub_group/sub_group_project/commit/1234567'
-      '/group/group@sub_group@sub_group_project/tree/1234567'   | '/group/sub_group/sub_group_project/-/tree/1234567'
+  shared_examples 'redirects to jira path' do
+    it 'redirects to canonical path with legacy prefix' do
+      redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path
     end
 
-    with_them do
-      context 'with legacy prefix' do
-        it 'redirects to canonical path' do
-          redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path
-        end
-      end
-
-      it 'redirects to canonical path' do
-        redirects_to_canonical_path jira_path, redirect_path
-      end
+    it 'redirects to canonical path' do
+      redirects_to_canonical_path jira_path, redirect_path
     end
   end
 
+  let(:jira_path) { '/group/group@sub_group@sub_group_project' }
+  let(:redirect_path) { '/group/sub_group/sub_group_project' }
+
+  it_behaves_like 'redirects to jira path'
+
+  context 'contains @ before the first /' do
+    let(:jira_path) { '/group@sub_group/group@sub_group@sub_group_project' }
+    let(:redirect_path) { '/group/sub_group/sub_group_project' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
+  context 'including commit path' do
+    let(:jira_path) { '/group/group@sub_group@sub_group_project/commit/1234567' }
+    let(:redirect_path) { '/group/sub_group/sub_group_project/commit/1234567' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
+  context 'including tree path' do
+    let(:jira_path) { '/group/group@sub_group@sub_group_project/tree/1234567' }
+    let(:redirect_path) { '/group/sub_group/sub_group_project/-/tree/1234567' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
+  context 'malicious path' do
+    let(:jira_path) { '/group/@@malicious.server' }
+    let(:redirect_path) { '/malicious.server' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
   context 'regular paths with legacy prefix' do
     where(:jira_path, :redirect_path) do
       '/-/jira/group/group_project'                | '/group/group_project'