Commit 020078663e401798d199a1a293ac59d990f81dad
1 parent
cfdf94fc
Exists in
master
and in
4 other branches
Prevent xss attack over group name. Added regex validation for group and team name
Showing
5 changed files
with
22 additions
and
6 deletions
Show diff stats
app/helpers/application_helper.rb
| ... | ... | @@ -73,8 +73,8 @@ module ApplicationHelper |
| 73 | 73 | |
| 74 | 74 | def search_autocomplete_source |
| 75 | 75 | projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } } |
| 76 | - groups = current_user.authorized_groups.map { |group| { label: "group: #{group.name}", url: group_path(group) } } | |
| 77 | - teams = current_user.authorized_teams.map { |team| { label: "team: #{team.name}", url: team_path(team) } } | |
| 76 | + groups = current_user.authorized_groups.map { |group| { label: "group: #{simple_sanitize(group.name)}", url: group_path(group) } } | |
| 77 | + teams = current_user.authorized_teams.map { |team| { label: "team: #{simple_sanitize(team.name)}", url: team_path(team) } } | |
| 78 | 78 | |
| 79 | 79 | default_nav = [ |
| 80 | 80 | { label: "My Profile", url: profile_path }, |
| ... | ... | @@ -159,8 +159,13 @@ module ApplicationHelper |
| 159 | 159 | alt: "Sign in with #{provider.to_s.titleize}") |
| 160 | 160 | end |
| 161 | 161 | |
| 162 | + def simple_sanitize str | |
| 163 | + sanitize(str, tags: %w(a span)) | |
| 164 | + end | |
| 165 | + | |
| 162 | 166 | def image_url(source) |
| 163 | 167 | root_url + path_to_image(source) |
| 164 | 168 | end |
| 169 | + | |
| 165 | 170 | alias_method :url_to_image, :image_url |
| 166 | 171 | end | ... | ... |
app/helpers/projects_helper.rb
| ... | ... | @@ -56,7 +56,7 @@ module ProjectsHelper |
| 56 | 56 | def project_title project |
| 57 | 57 | if project.group |
| 58 | 58 | content_tag :span do |
| 59 | - link_to(project.group.name, group_path(project.group)) + " / " + project.name | |
| 59 | + link_to(simple_sanitize(project.group.name), group_path(project.group)) + " / " + project.name | |
| 60 | 60 | end |
| 61 | 61 | else |
| 62 | 62 | project.name | ... | ... |
app/models/namespace.rb
| ... | ... | @@ -17,11 +17,15 @@ class Namespace < ActiveRecord::Base |
| 17 | 17 | has_many :projects, dependent: :destroy |
| 18 | 18 | belongs_to :owner, class_name: "User" |
| 19 | 19 | |
| 20 | - validates :name, presence: true, uniqueness: true | |
| 20 | + validates :owner, presence: true | |
| 21 | + validates :name, presence: true, uniqueness: true, | |
| 22 | + length: { within: 0..255 }, | |
| 23 | + format: { with: Gitlab::Regex.name_regex, | |
| 24 | + message: "only letters, digits, spaces & '_' '-' '.' allowed." } | |
| 25 | + | |
| 21 | 26 | validates :path, uniqueness: true, presence: true, length: { within: 1..255 }, |
| 22 | 27 | format: { with: Gitlab::Regex.path_regex, |
| 23 | 28 | message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" } |
| 24 | - validates :owner, presence: true | |
| 25 | 29 | |
| 26 | 30 | delegate :name, to: :owner, allow_nil: true, prefix: true |
| 27 | 31 | ... | ... |
app/models/user_team.rb
| ... | ... | @@ -21,8 +21,11 @@ class UserTeam < ActiveRecord::Base |
| 21 | 21 | has_many :projects, through: :user_team_project_relationships |
| 22 | 22 | has_many :members, through: :user_team_user_relationships, source: :user |
| 23 | 23 | |
| 24 | - validates :name, presence: true, uniqueness: true | |
| 25 | 24 | validates :owner, presence: true |
| 25 | + validates :name, presence: true, uniqueness: true, | |
| 26 | + length: { within: 0..255 }, | |
| 27 | + format: { with: Gitlab::Regex.name_regex, | |
| 28 | + message: "only letters, digits, spaces & '_' '-' '.' allowed." } | |
| 26 | 29 | validates :path, uniqueness: true, presence: true, length: { within: 1..255 }, |
| 27 | 30 | format: { with: Gitlab::Regex.path_regex, |
| 28 | 31 | message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" } | ... | ... |