Skip to content

Correct namespace validation to forbid bad names #21077

What does this MR do?

Updates master namespace regex to forbid any namespace ending in .git or .atom and corrects and adds relevant tests

Are there points in the code the reviewer needs to double check?

I think it's all good. I could use help with the creation of tests for usernames with trailing .atom or .git as the testing framework is a bit over my head.

Why was this MR needed?

A group that ends in .atom will cause the relevent dashboard to crash if the user (ANY user, not just the creator) has visibility of the group until it is deleted through the admin panel (it cannot be renamed, the edit page will crash. It may be fixable through the API, that wasn't checked.)

This allows a malicious user with group creation privileges to bulk add users to a group, rename the group to a bad name, and crash the groups dashboard for all members of the group. The same applies if the group is internal or public and users navigate to the explore tab of the groups dashboard.

The same applies to usernames ending in .atom.

In many places of the code, it implies that .git in not allowed at the end of namespaces, but many allowed it anyway. This MR forbids it everywhere to prevent potential issues (like the one with .atom going forward).

What are the relevant issue numbers?

Group path validation incomplete, crashes groups dashboard #21077

Does this MR meet the acceptance criteria?

Merge request reports