Add latest changes from gitlab-org/security/gitlab@16-2-stable-ee

2 files changed, 7 insertions, 1 deletions

diff --git a/lib/gitlab/checks/branch_check.rb b/lib/gitlab/checks/branch_check.rb
index 8be1e1716ec..aa89c2711f9 100644
--- a/lib/gitlab/checks/branch_check.rb
+++ b/lib/gitlab/checks/branch_check.rb
@@ -43,7 +43,7 @@ module Gitlab
       def prohibited_branch_checks
         return if deletion?
 
-        if branch_name =~ %r{\A\h{40}(/|\z)}
+        if branch_name =~ %r{\A\h{40}(-/|/|\z)}
           raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_hex_branch_name]
         end
 
diff --git a/spec/lib/gitlab/checks/branch_check_spec.rb b/spec/lib/gitlab/checks/branch_check_spec.rb
index 7ce267c535f..9950d4dbd12 100644
--- a/spec/lib/gitlab/checks/branch_check_spec.rb
+++ b/spec/lib/gitlab/checks/branch_check_spec.rb
@@ -32,6 +32,12 @@ RSpec.describe Gitlab::Checks::BranchCheck, feature_category: :source_code_manag
         expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.")
       end
 
+      it "prohibits 40-character hexadecimal branch names followed by a dash as the start of a path" do
+        allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e-/test")
+
+        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.")
+      end
+
       it "doesn't prohibit a nested hexadecimal in a branch name" do
         allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e-fix")