Commit e36c347f authored by Stan Hu's avatar Stan Hu

Gracefully handle references with null bytes

`Rugged::Reference.valid_name?` used in
`Gitlab::GitRefValidator.validate` fails on strings containing null
bytes because it uses `StringValueCStr()`. Per
https://silverhammermba.github.io/emberb/c/:

Ruby’s String kinda corresponds to C’s char*. The simplest macro is
StringValueCStr() which returns a null-terminated char* for a
String. The problem here is that a Ruby String might contain nulls - in
which case StringValueCStr() will raise an ArgumentError!

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54466
parent deaf3af7
---
title: Gracefully handle references with null bytes
merge_request: 23365
author:
type: fixed
...@@ -13,7 +13,11 @@ module Gitlab ...@@ -13,7 +13,11 @@ module Gitlab
return false if ref_name.start_with?(*not_allowed_prefixes) return false if ref_name.start_with?(*not_allowed_prefixes)
return false if ref_name == 'HEAD' return false if ref_name == 'HEAD'
Rugged::Reference.valid_name? "refs/heads/#{ref_name}" begin
Rugged::Reference.valid_name?("refs/heads/#{ref_name}")
rescue ArgumentError
return false
end
end end
end end
end end
...@@ -27,4 +27,5 @@ describe Gitlab::GitRefValidator do ...@@ -27,4 +27,5 @@ describe Gitlab::GitRefValidator do
it { expect(described_class.validate('-branch')).to be_falsey } it { expect(described_class.validate('-branch')).to be_falsey }
it { expect(described_class.validate('.tag')).to be_falsey } it { expect(described_class.validate('.tag')).to be_falsey }
it { expect(described_class.validate('my branch')).to be_falsey } it { expect(described_class.validate('my branch')).to be_falsey }
it { expect(described_class.validate("\xA0\u0000\xB0")).to be_falsey }
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment