......@@ -6,7 +6,7 @@ module InternalRedirect
def safe_redirect_path(path)
return unless path
# Verify that the string starts with a `/` and a known route character.
return unless path =~ %r{^/[-\w].*$}
return unless path =~ %r{\A/[-\w].*\z}
uri = URI(path)
# Ignore anything path of the redirect except for the path, querystring and,
......
......
---
title: Fixes a Open Redirect issue in `InternalRedirect`.
merge_request:
author:
type: security
......@@ -19,7 +19,8 @@ describe InternalRedirect do
[
'Hello world',
'//example.com/hello/world',
'https://example.com/hello/world'
'https://example.com/hello/world',
"not-starting-with-a-slash\n/starting/with/slash"
]
end
......
......