Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.
Fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/2934 and https://gitlab.com/gitlab-org/gitlab/issues/33569
This commit is contained in:
parent
7e2b100854
commit
e3c910927c
|
@ -6,7 +6,7 @@ module InternalRedirect
|
|||
def safe_redirect_path(path)
|
||||
return unless path
|
||||
# Verify that the string starts with a `/` and a known route character.
|
||||
return unless path =~ %r{^/[-\w].*$}
|
||||
return unless path =~ %r{\A/[-\w].*\z}
|
||||
|
||||
uri = URI(path)
|
||||
# Ignore anything path of the redirect except for the path, querystring and,
|
||||
|
|
|
@ -19,7 +19,8 @@ describe InternalRedirect do
|
|||
[
|
||||
'Hello world',
|
||||
'//example.com/hello/world',
|
||||
'https://example.com/hello/world'
|
||||
'https://example.com/hello/world',
|
||||
"not-starting-with-a-slash\n/starting/with/slash"
|
||||
]
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue