Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-10-30 21:08:56 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-10-30 21:08:56 +0300
commit: 98d7cc758fb73239fb957c297446c811ab4150d9 (patch)
tree: 227a5e8efe35d2ac158e762397609a3f1754b224 /lib/gitlab/middleware
parent: 038366a0932c5f88019cc3db85382f26af3933e7 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/gitlab/middleware/handle_malformed_strings.rb b/lib/gitlab/middleware/handle_malformed_strings.rb
index 5fe3e6a1c73..bb2a8ead525 100644
--- a/lib/gitlab/middleware/handle_malformed_strings.rb
+++ b/lib/gitlab/middleware/handle_malformed_strings.rb
@@ -26,13 +26,20 @@ module Gitlab
 
         request = Rack::Request.new(request)
 
-        return true if string_malformed?(request.path)
+        return true if malformed_path?(request.path)
 
         request.params.values.any? do |value|
           param_has_null_byte?(value)
         end
       end
 
+      def malformed_path?(path)
+        string_malformed?(Rack::Utils.unescape(path))
+      rescue ArgumentError
+        # Rack::Utils.unescape raised this, path is malformed.
+        true
+      end
+
       def param_has_null_byte?(value, depth = 0)
         # Guard against possible attack sending large amounts of nested params
         # Should be safe as deeply nested params are highly uncommon.
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-10-30 21:08:56 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-10-30 21:08:56 +0300
commit	98d7cc758fb73239fb957c297446c811ab4150d9 (patch)
tree	227a5e8efe35d2ac158e762397609a3f1754b224 /lib/gitlab/middleware
parent	038366a0932c5f88019cc3db85382f26af3933e7 (diff)