Commit cf1c9b28 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-fix-open-redirect-vulnerability-14-10' into '14-10-stable-ee'

Fix open redirect vulnerability

See merge request gitlab-org/security/gitlab!2540
parents ed6f3663 1450068a
......@@ -38,7 +38,8 @@ module Gitlab
# @param [String] namespace
def self.restore_full_path(namespace:, project:)
if project.include?(ENCODED_SLASH)
project.gsub(ENCODED_SLASH, SLASH)
# Replace multiple slashes with single ones to make sure the redirect stays on the same host
project.gsub(ENCODED_SLASH, SLASH).gsub(%r{\/{2,}}, '/')
else
"#{namespace}/#{project}"
end
......
......@@ -25,27 +25,49 @@ RSpec.describe 'Jira referenced paths', type: :request do
expect(response).to redirect_to(redirect_path)
end
context 'with encoded subgroup path' do
where(:jira_path, :redirect_path) do
'/group/group@sub_group@sub_group_project' | '/group/sub_group/sub_group_project'
'/group@sub_group/group@sub_group@sub_group_project' | '/group/sub_group/sub_group_project'
'/group/group@sub_group@sub_group_project/commit/1234567' | '/group/sub_group/sub_group_project/commit/1234567'
'/group/group@sub_group@sub_group_project/tree/1234567' | '/group/sub_group/sub_group_project/-/tree/1234567'
shared_examples 'redirects to jira path' do
it 'redirects to canonical path with legacy prefix' do
redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path
end
with_them do
context 'with legacy prefix' do
it 'redirects to canonical path' do
redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path
end
end
it 'redirects to canonical path' do
redirects_to_canonical_path jira_path, redirect_path
end
it 'redirects to canonical path' do
redirects_to_canonical_path jira_path, redirect_path
end
end
let(:jira_path) { '/group/group@sub_group@sub_group_project' }
let(:redirect_path) { '/group/sub_group/sub_group_project' }
it_behaves_like 'redirects to jira path'
context 'contains @ before the first /' do
let(:jira_path) { '/group@sub_group/group@sub_group@sub_group_project' }
let(:redirect_path) { '/group/sub_group/sub_group_project' }
it_behaves_like 'redirects to jira path'
end
context 'including commit path' do
let(:jira_path) { '/group/group@sub_group@sub_group_project/commit/1234567' }
let(:redirect_path) { '/group/sub_group/sub_group_project/commit/1234567' }
it_behaves_like 'redirects to jira path'
end
context 'including tree path' do
let(:jira_path) { '/group/group@sub_group@sub_group_project/tree/1234567' }
let(:redirect_path) { '/group/sub_group/sub_group_project/-/tree/1234567' }
it_behaves_like 'redirects to jira path'
end
context 'malicious path' do
let(:jira_path) { '/group/@@malicious.server' }
let(:redirect_path) { '/malicious.server' }
it_behaves_like 'redirects to jira path'
end
context 'regular paths with legacy prefix' do
where(:jira_path, :redirect_path) do
'/-/jira/group/group_project' | '/group/group_project'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment