Do not unescape branch name when deleting branch (!73253) · Merge requests · GitLab.org / GitLab

Patrick Bajao requested to merge 334033-do-not-allow-deleting-branches-matching-url-encoded into master Oct 28, 2021

What does this MR do and why?

Previously, when we unescape the branch name passed by frontend (e.g. test%2fbranch), it can match a branch matching the unescaped name (e.g. test/branch).

In a case wherein both test%2fbranch and test/branch branch exists, the previous behavior will lead to a bug wherein test/branch will be deleted even if test%2fbranch was the one being deleted.

The fix is to remove the unescape code so we're just finding for the branch to delete without unescaping the branch name.

It is intentional that this is being fixed outside of security process as mentioned in #334033 (comment 713978164).

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Create test%2fbranch branch via git CLI.
Create test/branch branch via git CLI
Go to list of branches on the web UI (Repository > Branches).
Delete test%2fbranch branch and it should be deleted.
Delete test/branch branch and it should be deleted.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #334033 (closed)

Edited Oct 28, 2021 by Patrick Bajao

Do not unescape branch name when deleting branch

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports