Add path blacklist

Dmitriy Zaporozhets
1 parent 8f52501e
Showing 4 changed files with 13 additions and 9 deletions Show diff stats
app/models/namespace.rb
app/models/project.rb
app/models/user.rb
lib/gitlab/blacklist.rb
@@ -27,6 +27,7 @@ class Namespace &lt; ActiveRecord::Base
                       message: "only letters, digits, spaces & '_' '-' '.' allowed." }
   validates :description, length: { within: 0..255 }
   validates :path, uniqueness: true, presence: true, length: { within: 1..255 },
+            exclusion: { in: Gitlab::Blacklist.path },
             format: { with: Gitlab::Regex.path_regex,
                       message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" }
  
@@ -79,6 +79,7 @@ class Project &lt; ActiveRecord::Base
             format: { with: Gitlab::Regex.project_name_regex,
                       message: "only letters, digits, spaces & '_' '-' '.' allowed. Letter should be first" }
   validates :path, presence: true, length: { within: 0..255 },
+            exclusion: { in: Gitlab::Blacklist.path },
             format: { with: Gitlab::Regex.path_regex,
                       message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" }
   validates :issues_enabled, :wall_enabled, :merge_requests_enabled,
@@ -92,7 +93,7 @@ class Project &lt; ActiveRecord::Base
     format: { with: URI::regexp(%w(http https)), message: "should be a valid url" },
     if: :import?
  
-  validate :check_limit, :repo_name
+  validate :check_limit
  
   # Scopes
   scope :without_user, ->(user)  { where("projects.id NOT IN (:ids)", ids: user.authorized_projects.map(&:id) ) }
@@ -166,14 +167,6 @@ class Project &lt; ActiveRecord::Base
     errors[:base] << ("Can't check your ability to create project")
   end
  
-  def repo_name
-    denied_paths = %w(admin dashboard groups help profile projects search)
-
-    if denied_paths.include?(path)
-      errors.add(:path, "like #{path} is not allowed")
-    end
-  end
-
   def to_param
     if namespace
       namespace.path + "/" + path
@@ -104,6 +104,7 @@ class User &lt; ActiveRecord::Base
   validates :extern_uid, allow_blank: true, uniqueness: {scope: :provider}
   validates :projects_limit, presence: true, numericality: {greater_than_or_equal_to: 0}
   validates :username, presence: true, uniqueness: true,
+            exclusion: { in: Gitlab::Blacklist.path },
             format: { with: Gitlab::Regex.username_regex,
                       message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" }
  
@@ -0,0 +1,9 @@
+module Gitlab
+  module Blacklist
+    extend self
+
+    def path
+      %w(admin dashboard groups help profile projects search public assets u s teams merge_requests issues users snippets )
+    end
+  end
+end
...	...	@@ -27,6 +27,7 @@ class Namespace < ActiveRecord::Base
27	27	message: "only letters, digits, spaces & '_' '-' '.' allowed." }
28	28	validates :description, length: { within: 0..255 }
29	29	validates :path, uniqueness: true, presence: true, length: { within: 1..255 },
	30	+ exclusion: { in: Gitlab::Blacklist.path },
30	31	format: { with: Gitlab::Regex.path_regex,
31	32	message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" }
32	33
...	...
...	...	@@ -79,6 +79,7 @@ class Project < ActiveRecord::Base
79	79	format: { with: Gitlab::Regex.project_name_regex,
80	80	message: "only letters, digits, spaces & '_' '-' '.' allowed. Letter should be first" }
81	81	validates :path, presence: true, length: { within: 0..255 },
	82	+ exclusion: { in: Gitlab::Blacklist.path },
82	83	format: { with: Gitlab::Regex.path_regex,
83	84	message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" }
84	85	validates :issues_enabled, :wall_enabled, :merge_requests_enabled,
...	...	@@ -92,7 +93,7 @@ class Project < ActiveRecord::Base
92	93	format: { with: URI::regexp(%w(http https)), message: "should be a valid url" },
93	94	if: :import?
94	95
95		- validate :check_limit, :repo_name
	96	+ validate :check_limit
96	97
97	98	# Scopes
98	99	scope :without_user, ->(user) { where("projects.id NOT IN (:ids)", ids: user.authorized_projects.map(&:id) ) }
...	...	@@ -166,14 +167,6 @@ class Project < ActiveRecord::Base
166	167	errors[:base] << ("Can't check your ability to create project")
167	168	end
168	169
169		- def repo_name
170		- denied_paths = %w(admin dashboard groups help profile projects search)
171		-
172		- if denied_paths.include?(path)
173		- errors.add(:path, "like #{path} is not allowed")
174		- end
175		- end
176		-
177	170	def to_param
178	171	if namespace
179	172	namespace.path + "/" + path
...	...
...	...	@@ -104,6 +104,7 @@ class User < ActiveRecord::Base
104	104	validates :extern_uid, allow_blank: true, uniqueness: {scope: :provider}
105	105	validates :projects_limit, presence: true, numericality: {greater_than_or_equal_to: 0}
106	106	validates :username, presence: true, uniqueness: true,
	107	+ exclusion: { in: Gitlab::Blacklist.path },
107	108	format: { with: Gitlab::Regex.username_regex,
108	109	message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" }
109	110
...	...
...	...	@@ -0,0 +1,9 @@
	1	+module Gitlab
	2	+ module Blacklist
	3	+ extend self
	4	+
	5	+ def path
	6	+ %w(admin dashboard groups help profile projects search public assets u s teams merge_requests issues users snippets )
	7	+ end
	8	+ end
	9	+end
...	...