Skip to content
Snippets Groups Projects
Commit c1712b48 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files

Merge branch 'security-390910-15-10' into '15-10-stable-ee'

Prohibit 40 character hex sets at beginning of path-based branch name

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3194



Merged-by: default avatarGitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: default avatarVasilii Iakliushin <viakliushin@gitlab.com>
Co-authored-by: default avatarRobert May <rmay@gitlab.com>
parents c5cc1b3c 71d30b65
No related merge requests found
......@@ -42,7 +42,7 @@ def validate!
def prohibited_branch_checks
return if deletion?
if branch_name =~ /\A\h{40}\z/
if branch_name =~ %r{\A\h{40}(/|\z)}
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_hex_branch_name]
end
end
......
......@@ -26,8 +26,14 @@
expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.")
end
it "prohibits 40-character hexadecimal branch names as the start of a path" do
allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e/test")
expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.")
end
it "doesn't prohibit a nested hexadecimal in a branch name" do
allow(subject).to receive(:branch_name).and_return("fix-267208abfe40e546f5e847444276f7d43a39503e")
allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e-fix")
expect { subject.validate! }.not_to raise_error
end
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment