Fix the vulnerability in the glm_source parameter

Merge branch 'cherry-pick-98bf5baa-2' into '17-2-stable-ee' See merge request gitlab-org/security/gitlab!4435 Changelog: security

Fix the vulnerability in the glm_source parameter
Merge branch 'cherry-pick-98bf5baa-2' into '17-2-stable-ee' See merge request gitlab-org/security/gitlab!4435 Changelog: security
676a3fad · Doug Stull · GitLab Release Tools Bot · af196fe5 · 676a3fad · 676a3fad
Commit 676a3fad authored 8 months ago by Doug Stull Committed by GitLab Release Tools Bot 8 months ago
--- a/app/controllers/concerns/preferred_language_switcher.rb
+++ b/app/controllers/concerns/preferred_language_switcher.rb
@@ -38,12 +38,12 @@ def browser_languages
  strong_memoize_attr :browser_languages

  def marketing_site_language
-    return [] unless params[:glm_source]
+    # Our marketing site will be the only thing we are sure of the language placement in the url for.
+    locale = params[:glm_source]&.match(%r{\A#{ApplicationHelper.promo_host}/([a-z]{2})-([a-z]{2})}i)&.captures

-    locale = params[:glm_source].scan(%r{(\w{2})-(\w{2})}).flatten
-
-    return [] if locale.empty?
+    return [] if locale.blank?

+    # This is local and then locale_region - the marketing site will always send locale-region pairs like fr-fr.
    [locale[0], "#{locale[0]}_#{locale[1]}"]
  end
 end

--- a/spec/controllers/concerns/preferred_language_switcher_spec.rb
+++ b/spec/controllers/concerns/preferred_language_switcher_spec.rb
@@ -40,6 +40,22 @@ def new
        expect(subject).to eq 'fr'
      end

+      context 'for case insensitivity on language' do
+        let(:glm_source) { 'about.gitlab.com/fr-FR/' }
+
+        it 'sets preferred_language accordingly' do
+          expect(subject).to eq 'fr'
+        end
+      end
+
+      context 'for case insensitivity on marketing site URL' do
+        let(:glm_source) { 'ABOUT.gitlab.com/fr-fr/' }
+
+        it 'sets preferred_language accordingly' do
+          expect(subject).to eq 'fr'
+        end
+      end
+
      context 'when language param is invalid' do
        let(:glm_source) { 'about.gitlab.com/ko-ko/' }

@@ -47,6 +63,14 @@ def new
          expect(subject).to eq Gitlab::CurrentSettings.default_preferred_language
        end
      end
+
+      context 'when the glm_source is not the marketing site' do
+        let(:glm_source) { 'some.othersite.com/fr-fr/' }
+
+        it 'sets preferred_language to default' do
+          expect(subject).to eq Gitlab::CurrentSettings.default_preferred_language
+        end
+      end
    end

    context 'when browser preferred language is not english' do