Commit 0169dd7f authored by Tiago Botelho's avatar Tiago Botelho

Fixes project denial of service via gitmodules using Extended ASCII.

parent 5d3f7b13
......@@ -87,10 +87,14 @@ module SubmoduleHelper
namespace = @project.namespace.full_path
end
[
namespace_project_path(namespace, base),
namespace_project_tree_path(namespace, base, commit)
]
begin
[
namespace_project_path(namespace, base),
namespace_project_tree_path(namespace, base, commit)
]
rescue ActionController::UrlGenerationError
[nil, nil]
end
end
def sanitize_submodule_url(url)
......
---
title: Fixes project denial of service via gitmodules using Extended ASCII.
merge_request: 14301
author:
type: fixed
......@@ -147,6 +147,12 @@ describe SubmoduleHelper do
expect(helper.submodule_links(submodule_item)).to eq([nil, nil])
end
it 'sanitizes invalid URL with extended ASCII' do
stub_url('é')
expect(helper.submodule_links(submodule_item)).to eq([nil, nil])
end
it 'returns original' do
stub_url('http://mygitserver.com/gitlab-org/gitlab-ce')
expect(submodule_links(submodule_item)).to eq([repo.submodule_url_for, nil])
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment