diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-30 21:08:56 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-30 21:08:56 +0300 |
commit | 98d7cc758fb73239fb957c297446c811ab4150d9 (patch) | |
tree | 227a5e8efe35d2ac158e762397609a3f1754b224 /lib/gitlab/middleware | |
parent | 038366a0932c5f88019cc3db85382f26af3933e7 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab/middleware')
-rw-r--r-- | lib/gitlab/middleware/handle_malformed_strings.rb | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/gitlab/middleware/handle_malformed_strings.rb b/lib/gitlab/middleware/handle_malformed_strings.rb index 5fe3e6a1c73..bb2a8ead525 100644 --- a/lib/gitlab/middleware/handle_malformed_strings.rb +++ b/lib/gitlab/middleware/handle_malformed_strings.rb @@ -26,13 +26,20 @@ module Gitlab request = Rack::Request.new(request) - return true if string_malformed?(request.path) + return true if malformed_path?(request.path) request.params.values.any? do |value| param_has_null_byte?(value) end end + def malformed_path?(path) + string_malformed?(Rack::Utils.unescape(path)) + rescue ArgumentError + # Rack::Utils.unescape raised this, path is malformed. + true + end + def param_has_null_byte?(value, depth = 0) # Guard against possible attack sending large amounts of nested params # Should be safe as deeply nested params are highly uncommon. |