Fix domain level redirectsfix-redirects

Do not allow domain level redirects through special characters Changelog: fixed
author: Vishal Tak <vtak@gitlab.com> 2022-06-20 15:11:36 +0300
committer: Vishal Tak <vtak@gitlab.com> 2022-06-20 15:56:32 +0300
commit: ca6db0ba6ba8b85d064b4bc3fe89795e78496df8 (patch)
tree: 9e44fe14f6e23a87a796366053c26ea3d53c8130 /internal
parent: 24344cc0b0c24e16939a93a610dc09eacece6deb (diff)
2 files changed, 6 insertions, 1 deletions
diff --git a/internal/redirects/validations.go b/internal/redirects/validations.go
index 5264f731..ed022f52 100644
--- a/internal/redirects/validations.go
+++ b/internal/redirects/validations.go
@@ -28,7 +28,8 @@ func validateURL(urlText string) error {
 	// No support for domain-level redirects to outside sites:
 	// - `https://google.com`
 	// - `//google.com`
-	if url.Host != "" || url.Scheme != "" {
+	// - `/\google.com`
+	if url.Host != "" || url.Scheme != "" || strings.HasPrefix(url.Path, "/\\") {
 		return errNoDomainLevelRedirects
 	}
 
diff --git a/internal/redirects/validations_test.go b/internal/redirects/validations_test.go
index 6d6fbb3d..296be511 100644
--- a/internal/redirects/validations_test.go
+++ b/internal/redirects/validations_test.go
@@ -24,6 +24,10 @@ func TestRedirectsValidateUrl(t *testing.T) {
 			url:         "https://GitLab.com",
 			expectedErr: errNoDomainLevelRedirects,
 		},
+		"no_special_characters_escape_domain_level_redirects": {
+			url:         "/\\GitLab.com",
+			expectedErr: errNoDomainLevelRedirects,
+		},
 		"no_schemaless_url_domain_level_redirects": {
 			url:         "//GitLab.com/pages.html",
 			expectedErr: errNoDomainLevelRedirects,
author	Vishal Tak <vtak@gitlab.com>	2022-06-20 15:11:36 +0300
committer	Vishal Tak <vtak@gitlab.com>	2022-06-20 15:56:32 +0300
commit	ca6db0ba6ba8b85d064b4bc3fe89795e78496df8 (patch)
tree	9e44fe14f6e23a87a796366053c26ea3d53c8130 /internal
parent	24344cc0b0c24e16939a93a610dc09eacece6deb (diff)