Skip to content

New signup username starting with question mark `?` raises an exception and returns status 500.

Created by: cirosantilli

To reproduce: signup with username ?asdf. Currently happening on gitlab.com.

Cause

Username validation https://github.com/gitlabhq/gitlabhq/blob/fb3104dabf5a6e47019a795bef70c6dbf1aea3b2/app/models/user.rb#L122 which resolves to regexp https://github.com/gitlabhq/gitlabhq/blob/fb3104dabf5a6e47019a795bef70c6dbf1aea3b2/lib/gitlab/regex.rb#L52

/\A[.?]?[a-zA-Z0-9_][a-zA-Z0-9_\-\.]*(?<!\.git)\z/

I suppose it was meant to be only \A[.]? at the beginning.

Proposed solution

Currently the same regex is used to validate file path creation from the web UI, and it is was already possible to create file paths that start with question mark: https://gitlab.com/cirosantilli/test0/blob/master/%3Fa.md

However, it is currently not possible to sign up with usernames that start in ? because of the 500, I propose we use separate regexes for them, so we can just start to enforce it.

GitLab.com admins should check to see if anyone has an username starting with ? in case that was possible in a previous version: even if it was this case is so edgy and complicating that we could still consider emailing such users and doing a data destructive migration.

I also propose that more general filenames be allowed at web UI creation: http://feedback.gitlab.com/forums/176466-general/suggestions/6124783-allow-to-create-almost-any-filename-character-or

Noticed at: #7199 (closed)