Commit 417e58fd authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-open-redirect-internalredirect' into 'master'

Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.

Closes #2934

See merge request gitlab/gitlabhq!3466
parents ca324614 34e4b5c5
...@@ -6,7 +6,7 @@ module InternalRedirect ...@@ -6,7 +6,7 @@ module InternalRedirect
def safe_redirect_path(path) def safe_redirect_path(path)
return unless path return unless path
# Verify that the string starts with a `/` and a known route character. # Verify that the string starts with a `/` and a known route character.
return unless path =~ %r{^/[-\w].*$} return unless path =~ %r{\A/[-\w].*\z}
uri = URI(path) uri = URI(path)
# Ignore anything path of the redirect except for the path, querystring and, # Ignore anything path of the redirect except for the path, querystring and,
......
---
title: Fixes a Open Redirect issue in `InternalRedirect`.
merge_request:
author:
type: security
...@@ -19,7 +19,8 @@ describe InternalRedirect do ...@@ -19,7 +19,8 @@ describe InternalRedirect do
[ [
'Hello world', 'Hello world',
'//example.com/hello/world', '//example.com/hello/world',
'https://example.com/hello/world' 'https://example.com/hello/world',
"not-starting-with-a-slash\n/starting/with/slash"
] ]
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment