Fix HandleMalformedStrings middleware

Because of middleware loading order, sometimes we'd load before the path has been unescaped. Here we change the loading order to be as early as possible but also remove brittleness by unescaping the bits we care about ourselves.

Fix HandleMalformedStrings middleware
Because of middleware loading order, sometimes we'd load before the path has been unescaped. Here we change the loading order to be as early as possible but also remove brittleness by unescaping the bits we care about ourselves.
b6faa5af · Mario de la Ossa · 7ee20cb9 · b6faa5af · b6faa5af
Commit b6faa5af authored Oct 29, 2020 by Mario de la Ossa
2 changed files
--- a/lib/gitlab/middleware/handle_malformed_strings.rb
+++ b/lib/gitlab/middleware/handle_malformed_strings.rb
@@ -26,13 +26,20 @@ module Gitlab

        request = Rack::Request.new(request)

-        return true if string_malformed?(request.path)
+        return true if malformed_path?(request.path)

        request.params.values.any? do |value|
          param_has_null_byte?(value)
        end
      end

+      def malformed_path?(path)
+        string_malformed?(Rack::Utils.unescape(path))
+      rescue ArgumentError
+        # Rack::Utils.unescape raised this, path is malformed.
+        true
+      end
+
      def param_has_null_byte?(value, depth = 0)
        # Guard against possible attack sending large amounts of nested params
        # Should be safe as deeply nested params are highly uncommon.

--- a/spec/lib/gitlab/middleware/handle_malformed_strings_spec.rb
+++ b/spec/lib/gitlab/middleware/handle_malformed_strings_spec.rb
@@ -5,7 +5,9 @@ require "rack/test"

 RSpec.describe Gitlab::Middleware::HandleMalformedStrings do
  let(:null_byte) { "\u0000" }
+  let(:escaped_null_byte) { "%00" }
  let(:invalid_string) { "mal\xC0formed" }
+  let(:escaped_invalid_string) { "mal%c0formed" }
  let(:error_400) { [400, { 'Content-Type' => 'text/plain' }, ['Bad Request']] }
  let(:app) { double(:app) }

@@ -30,6 +32,14 @@ RSpec.describe Gitlab::Middleware::HandleMalformedStrings do
      expect(subject.call(env)).to eq error_400
    end

+    it 'rejects escaped null bytes' do
+      # We have to create the env separately or Rack::MockRequest complains about invalid URI
+      env = env_for
+      env['PATH_INFO'] = "/someplace/withan#{escaped_null_byte}escaped nullbyte"
+
+      expect(subject.call(env)).to eq error_400
+    end
+
    it 'rejects malformed strings' do
      # We have to create the env separately or Rack::MockRequest complains about invalid URI
      env = env_for
@@ -37,6 +47,14 @@ RSpec.describe Gitlab::Middleware::HandleMalformedStrings do

      expect(subject.call(env)).to eq error_400
    end
+
+    it 'rejects escaped malformed strings' do
+      # We have to create the env separately or Rack::MockRequest complains about invalid URI
+      env = env_for
+      env['PATH_INFO'] = "/someplace/with_an/#{escaped_invalid_string}"
+
+      expect(subject.call(env)).to eq error_400
+    end
  end

  context 'in params' do