Add latest changes from gitlab-org/security/gitlab@15-3-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-08-26 17:39:41 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-08-26 17:39:41 +0300
commit: 93fd80667dcfbacca2b41168da6fcb3f67c0899b (patch)
tree: 17d0bd9c303b7a0dbed87811e438d10fee49991f /spec/initializers/rack_VULNDB-255039_patch_spec.rb
parent: f332982c82ad95ae2ee22242c39f78717613165f (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/spec/initializers/rack_VULNDB-255039_patch_spec.rb b/spec/initializers/rack_VULNDB-255039_patch_spec.rb
new file mode 100644
index 00000000000..754ff2f10e0
--- /dev/null
+++ b/spec/initializers/rack_VULNDB-255039_patch_spec.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Rack VULNDB-255039' do
+  context 'when handling query params in GET requests' do
+    it 'does not treat semicolons as query delimiters' do
+      env = ::Rack::MockRequest.env_for('http://gitlab.com?a=b;c=1')
+
+      query_hash = ::Rack::Request.new(env).GET
+
+      # Prior to this patch, this was splitting around the semicolon, which
+      # would return {"a"=>"b", "c"=>"1"}
+      expect(query_hash).to eq({ "a" => "b;c=1" })
+    end
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-08-26 17:39:41 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-08-26 17:39:41 +0300
commit	93fd80667dcfbacca2b41168da6fcb3f67c0899b (patch)
tree	17d0bd9c303b7a0dbed87811e438d10fee49991f /spec/initializers/rack_VULNDB-255039_patch_spec.rb
parent	f332982c82ad95ae2ee22242c39f78717613165f (diff)