diff options
author | Kamil Trzciński <ayufan@ayufan.eu> | 2018-06-15 11:02:27 +0000 |
---|---|---|
committer | Kamil Trzciński <ayufan@ayufan.eu> | 2018-06-15 11:02:27 +0000 |
commit | 59a2123db285ba738375f6c713a91df27085367a (patch) | |
tree | ca4c60a9c116a8cf8aae741c8be1aa90dd68a8fc | |
parent | f39582f7b8cc9f1fdb74b58eece944110fc0a625 (diff) | |
parent | 202bd2da16942ca8c9b667b10c75025a0c95980d (diff) | |
download | gitlab-ce-59a2123db285ba738375f6c713a91df27085367a.tar.gz |
Merge branch 'ce-jej/sanitize-group-saml-relay-state' into 'master'
[CE backport] Backport InternalRedirect#sanitize_redirect
See merge request gitlab-org/gitlab-ce!19795
-rw-r--r-- | app/controllers/concerns/internal_redirect.rb | 4 | ||||
-rw-r--r-- | spec/controllers/concerns/internal_redirect_spec.rb | 25 |
2 files changed, 29 insertions, 0 deletions
diff --git a/app/controllers/concerns/internal_redirect.rb b/app/controllers/concerns/internal_redirect.rb index 7409b2e89a5..10b9852e329 100644 --- a/app/controllers/concerns/internal_redirect.rb +++ b/app/controllers/concerns/internal_redirect.rb @@ -23,6 +23,10 @@ module InternalRedirect nil end + def sanitize_redirect(url_or_path) + safe_redirect_path(url_or_path) || safe_redirect_path_for_url(url_or_path) + end + def host_allowed?(uri) uri.host == request.host && uri.port == request.port diff --git a/spec/controllers/concerns/internal_redirect_spec.rb b/spec/controllers/concerns/internal_redirect_spec.rb index a0ee13b2352..7e23b56356e 100644 --- a/spec/controllers/concerns/internal_redirect_spec.rb +++ b/spec/controllers/concerns/internal_redirect_spec.rb @@ -54,6 +54,31 @@ describe InternalRedirect do end end + describe '#sanitize_redirect' do + let(:valid_path) { '/hello/world?hello=world' } + let(:valid_url) { "http://test.host#{valid_path}" } + + it 'returns `nil` for invalid paths' do + invalid_path = '//not/valid' + + expect(controller.sanitize_redirect(invalid_path)).to eq nil + end + + it 'returns `nil` for invalid urls' do + input = 'http://test.host:3000/invalid' + + expect(controller.sanitize_redirect(input)).to eq nil + end + + it 'returns input for valid paths' do + expect(controller.sanitize_redirect(valid_path)).to eq valid_path + end + + it 'returns path for valid urls' do + expect(controller.sanitize_redirect(valid_url)).to eq valid_path + end + end + describe '#host_allowed?' do it 'allows uris with the same host and port' do expect(controller.host_allowed?(URI('http://test.host/test'))).to be(true) |