Add other method to handle strings middleware

496c3612 · Małgorzata Ksionek · c3ebc8a1 · 496c3612 · 496c3612
Commit 496c3612 authored Dec 02, 2020 by Małgorzata Ksionek
2 changed files
--- a/lib/gitlab/middleware/handle_malformed_strings.rb
+++ b/lib/gitlab/middleware/handle_malformed_strings.rb
@@ -61,7 +61,7 @@ module Gitlab

        return false unless credentials

-        string_malformed?(credentials)
+        credentials_string_malformed?(credentials)
      end

      def param_has_null_byte?(value, depth = 0)
@@ -98,6 +98,13 @@ module Gitlab
        # If we're here, we caught a malformed string. Return true
        true
      end
+
+      def credentials_string_malformed?(string)
+        string.force_encoding('UTF-8').match?(NULL_BYTE_REGEX)
+      rescue ArgumentError, Encoding::UndefinedConversionError
+        # If we're here, we caught a malformed string. Return true
+        true
+      end
    end
  end
 end
--- a/spec/lib/gitlab/middleware/handle_malformed_strings_spec.rb
+++ b/spec/lib/gitlab/middleware/handle_malformed_strings_spec.rb
-# frozen_string_literal: true

 require 'spec_helper'
 require "rack/test"
@@ -104,6 +103,12 @@ RSpec.describe Gitlab::Middleware::HandleMalformedStrings do

      expect(subject.call(env)).not_to eq error_400
    end
+
+    it 'does not reject correct encoded password with special characters' do
+      env = env_for.merge(auth_env("username", "RçKszEwéC5kFnû∆f243fycGu§Gh9ftDj!U", nil))
+
+      expect(subject.call(env)).not_to eq error_400
+    end
  end

  context 'in params' do