Allow encoded newlines in HTTP URLs (!72655) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

We saw in gitlab-com/gl-infra/production#5756 (closed) that restricting newlines in query strings blocks Google Cloud Storage (GCS) URLs from working since GCS uses a multi-line Signature query string.

The original check was introduced to prevent CRLF injection in the Git protocol (#8438 (closed)). Git has since added protection against newlines in the URL (https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473), but they haven't blocked the carriage return (CR) case.

To ensure defense in depth, we continue to block Git requests with CRLF, but allow encoded, multi-line HTTP queries.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Oct 20, 2021 by Stan Hu

Allow encoded newlines in HTTP URLs

What does this MR do and why?

MR acceptance checklist

Merge request reports