Commit 020078663e401798d199a1a293ac59d990f81dad
1 parent
cfdf94fc
Exists in
master
and in
4 other branches
Prevent xss attack over group name. Added regex validation for group and team name
Showing
5 changed files
with
22 additions
and
6 deletions
Show diff stats
app/helpers/application_helper.rb
| @@ -73,8 +73,8 @@ module ApplicationHelper | @@ -73,8 +73,8 @@ module ApplicationHelper | ||
| 73 | 73 | ||
| 74 | def search_autocomplete_source | 74 | def search_autocomplete_source |
| 75 | projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } } | 75 | projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } } |
| 76 | - groups = current_user.authorized_groups.map { |group| { label: "group: #{group.name}", url: group_path(group) } } | ||
| 77 | - teams = current_user.authorized_teams.map { |team| { label: "team: #{team.name}", url: team_path(team) } } | 76 | + groups = current_user.authorized_groups.map { |group| { label: "group: #{simple_sanitize(group.name)}", url: group_path(group) } } |
| 77 | + teams = current_user.authorized_teams.map { |team| { label: "team: #{simple_sanitize(team.name)}", url: team_path(team) } } | ||
| 78 | 78 | ||
| 79 | default_nav = [ | 79 | default_nav = [ |
| 80 | { label: "My Profile", url: profile_path }, | 80 | { label: "My Profile", url: profile_path }, |
| @@ -159,8 +159,13 @@ module ApplicationHelper | @@ -159,8 +159,13 @@ module ApplicationHelper | ||
| 159 | alt: "Sign in with #{provider.to_s.titleize}") | 159 | alt: "Sign in with #{provider.to_s.titleize}") |
| 160 | end | 160 | end |
| 161 | 161 | ||
| 162 | + def simple_sanitize str | ||
| 163 | + sanitize(str, tags: %w(a span)) | ||
| 164 | + end | ||
| 165 | + | ||
| 162 | def image_url(source) | 166 | def image_url(source) |
| 163 | root_url + path_to_image(source) | 167 | root_url + path_to_image(source) |
| 164 | end | 168 | end |
| 169 | + | ||
| 165 | alias_method :url_to_image, :image_url | 170 | alias_method :url_to_image, :image_url |
| 166 | end | 171 | end |
app/helpers/projects_helper.rb
| @@ -56,7 +56,7 @@ module ProjectsHelper | @@ -56,7 +56,7 @@ module ProjectsHelper | ||
| 56 | def project_title project | 56 | def project_title project |
| 57 | if project.group | 57 | if project.group |
| 58 | content_tag :span do | 58 | content_tag :span do |
| 59 | - link_to(project.group.name, group_path(project.group)) + " / " + project.name | 59 | + link_to(simple_sanitize(project.group.name), group_path(project.group)) + " / " + project.name |
| 60 | end | 60 | end |
| 61 | else | 61 | else |
| 62 | project.name | 62 | project.name |
app/models/namespace.rb
| @@ -17,11 +17,15 @@ class Namespace < ActiveRecord::Base | @@ -17,11 +17,15 @@ class Namespace < ActiveRecord::Base | ||
| 17 | has_many :projects, dependent: :destroy | 17 | has_many :projects, dependent: :destroy |
| 18 | belongs_to :owner, class_name: "User" | 18 | belongs_to :owner, class_name: "User" |
| 19 | 19 | ||
| 20 | - validates :name, presence: true, uniqueness: true | 20 | + validates :owner, presence: true |
| 21 | + validates :name, presence: true, uniqueness: true, | ||
| 22 | + length: { within: 0..255 }, | ||
| 23 | + format: { with: Gitlab::Regex.name_regex, | ||
| 24 | + message: "only letters, digits, spaces & '_' '-' '.' allowed." } | ||
| 25 | + | ||
| 21 | validates :path, uniqueness: true, presence: true, length: { within: 1..255 }, | 26 | validates :path, uniqueness: true, presence: true, length: { within: 1..255 }, |
| 22 | format: { with: Gitlab::Regex.path_regex, | 27 | format: { with: Gitlab::Regex.path_regex, |
| 23 | message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" } | 28 | message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" } |
| 24 | - validates :owner, presence: true | ||
| 25 | 29 | ||
| 26 | delegate :name, to: :owner, allow_nil: true, prefix: true | 30 | delegate :name, to: :owner, allow_nil: true, prefix: true |
| 27 | 31 |
app/models/user_team.rb
| @@ -21,8 +21,11 @@ class UserTeam < ActiveRecord::Base | @@ -21,8 +21,11 @@ class UserTeam < ActiveRecord::Base | ||
| 21 | has_many :projects, through: :user_team_project_relationships | 21 | has_many :projects, through: :user_team_project_relationships |
| 22 | has_many :members, through: :user_team_user_relationships, source: :user | 22 | has_many :members, through: :user_team_user_relationships, source: :user |
| 23 | 23 | ||
| 24 | - validates :name, presence: true, uniqueness: true | ||
| 25 | validates :owner, presence: true | 24 | validates :owner, presence: true |
| 25 | + validates :name, presence: true, uniqueness: true, | ||
| 26 | + length: { within: 0..255 }, | ||
| 27 | + format: { with: Gitlab::Regex.name_regex, | ||
| 28 | + message: "only letters, digits, spaces & '_' '-' '.' allowed." } | ||
| 26 | validates :path, uniqueness: true, presence: true, length: { within: 1..255 }, | 29 | validates :path, uniqueness: true, presence: true, length: { within: 1..255 }, |
| 27 | format: { with: Gitlab::Regex.path_regex, | 30 | format: { with: Gitlab::Regex.path_regex, |
| 28 | message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" } | 31 | message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" } |
lib/gitlab/regex.rb
| @@ -10,6 +10,10 @@ module Gitlab | @@ -10,6 +10,10 @@ module Gitlab | ||
| 10 | /\A[a-zA-Z][a-zA-Z0-9_\-\. ]*\z/ | 10 | /\A[a-zA-Z][a-zA-Z0-9_\-\. ]*\z/ |
| 11 | end | 11 | end |
| 12 | 12 | ||
| 13 | + def name_regex | ||
| 14 | + /\A[a-zA-Z0-9_\-\. ]*\z/ | ||
| 15 | + end | ||
| 16 | + | ||
| 13 | def path_regex | 17 | def path_regex |
| 14 | default_regex | 18 | default_regex |
| 15 | end | 19 | end |