diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index dcd3262e57..f09f8dd1d8 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -31,11 +31,23 @@
   end
 
   describe :username do
+    let(:new_user) { build :user }
+
     it "checks uniqueness case insensitively" do
       create :user, username: "TestUser"
       user2 = build  :user, username: "testuser"
       expect(user2.save).to be_false
     end
+
+    it "cannot contain null bytes" do
+      new_user.username = "\x00gerard"
+      expect(new_user.valid?).to be_false
+    end
+
+    it "Test for HackerOne report #24189" do
+      new_user.username = "gerard%0a"
+      expect(new_user.valid?).to be_false
+    end
   end
 
   describe '#full_name' do