Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.

Fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/2934 and https://gitlab.com/gitlab-org/gitlab/issues/33569

Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.
Fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/2934 and https://gitlab.com/gitlab-org/gitlab/issues/33569
4b38003d · Joern Schneeweisz · 1425a56c · 4b38003d · 4b38003d · 4b38003d
Commit 4b38003d authored Oct 22, 2019 by Joern Schneeweisz
3 changed files
--- a/app/controllers/concerns/internal_redirect.rb
+++ b/app/controllers/concerns/internal_redirect.rb
@@ -6,7 +6,7 @@ module InternalRedirect
  def safe_redirect_path(path)
    return unless path
    # Verify that the string starts with a `/` and a known route character.
-    return unless path =~ %r{^/[-\w].*$}
+    return unless path =~ %r{\A/[-\w].*\z}
    uri = URI(path)
    # Ignore anything path of the redirect except for the path, querystring and,

--- a/changelogs/unreleased/security-open-redirect-internalredirect.yml
+++ b/changelogs/unreleased/security-open-redirect-internalredirect.yml
+---
+title: Fixes a Open Redirect issue in `InternalRedirect`.
+merge_request:
+author:
+type: security
--- a/spec/controllers/concerns/internal_redirect_spec.rb
+++ b/spec/controllers/concerns/internal_redirect_spec.rb
@@ -19,7 +19,8 @@ describe InternalRedirect do
      [
        'Hello world',
        '//example.com/hello/world',
-        'https://example.com/hello/world'
+        'https://example.com/hello/world',
+        "not-starting-with-a-slash\n/starting/with/slash"
      ]
    end