Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42

3 files changed, 72 insertions, 1 deletions

diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb
index 47d0b9ba8cb..4b65bbcc791 100644
--- a/lib/gitlab/middleware/go.rb
+++ b/lib/gitlab/middleware/go.rb
@@ -18,6 +18,15 @@ module Gitlab
         request = ActionDispatch::Request.new(env)
 
         render_go_doc(request) || @app.call(env)
+      rescue Gitlab::Auth::IpBlacklisted
+        Gitlab::AuthLogger.error(
+          message: 'Rack_Attack',
+          env: :blocklist,
+          remote_ip: request.ip,
+          request_method: request.request_method,
+          path: request.fullpath
+        )
+        Rack::Response.new('', 403).finish
       end
 
       private
diff --git a/lib/gitlab/middleware/handle_null_bytes.rb b/lib/gitlab/middleware/handle_null_bytes.rb
new file mode 100644
index 00000000000..c88dfb6ee0b
--- /dev/null
+++ b/lib/gitlab/middleware/handle_null_bytes.rb
@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Middleware
+    # There is no valid reason for a request to contain a null byte (U+0000)
+    # so just return HTTP 400 (Bad Request) if we receive one
+    class HandleNullBytes
+      NULL_BYTE_REGEX = Regexp.new(Regexp.escape("\u0000")).freeze
+
+      attr_reader :app
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        return [400, {}, ["Bad Request"]] if request_has_null_byte?(env)
+
+        app.call(env)
+      end
+
+      private
+
+      def request_has_null_byte?(request)
+        return false if ENV['REJECT_NULL_BYTES'] == "1"
+
+        request = Rack::Request.new(request)
+
+        request.params.values.any? do |value|
+          param_has_null_byte?(value)
+        end
+      end
+
+      def param_has_null_byte?(value, depth = 0)
+        # Guard against possible attack sending large amounts of nested params
+        # Should be safe as deeply nested params are highly uncommon.
+        return false if depth > 2
+
+        depth += 1
+
+        if value.respond_to?(:match)
+          string_contains_null_byte?(value)
+        elsif value.respond_to?(:values)
+          value.values.any? do |hash_value|
+            param_has_null_byte?(hash_value, depth)
+          end
+        elsif value.is_a?(Array)
+          value.any? do |array_value|
+            param_has_null_byte?(array_value, depth)
+          end
+        else
+          false
+        end
+      end
+
+      def string_contains_null_byte?(string)
+        string.match?(NULL_BYTE_REGEX)
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/middleware/multipart.rb b/lib/gitlab/middleware/multipart.rb
index 8e6ac7610f2..7e98f1fc1f7 100644
--- a/lib/gitlab/middleware/multipart.rb
+++ b/lib/gitlab/middleware/multipart.rb
@@ -137,6 +137,7 @@ module Gitlab
 
       # TODO this class is meant to replace Handler when the feature flag
       # upload_middleware_jwt_params_handler is removed
+      # See https://gitlab.com/gitlab-org/gitlab/-/issues/233895#roll-out-steps
       class HandlerForJWTParams < Handler
         def with_open_files
           @rewritten_fields.keys.each do |field|
@@ -228,7 +229,7 @@ module Gitlab
       private
 
       def handler_class
-        if Feature.enabled?(:upload_middleware_jwt_params_handler)
+        if Feature.enabled?(:upload_middleware_jwt_params_handler, default_enabled: true)
           ::Gitlab::Middleware::Multipart::HandlerForJWTParams
         else
           ::Gitlab::Middleware::Multipart::Handler