Merge branch 'branch_name' into 'master'

Strip tags from branch name See merge request !1251

Merge branch 'branch_name' into 'master'
7e3f49ba · Dmitriy Zaporozhets · d55f5587 · 334fe865 · 7e3f49ba · 7e3f49ba
Commit 7e3f49ba authored Nov 14, 2014 by Dmitriy Zaporozhets
Hide whitespace changes
Inline Side-by-side

Showing with 55 additions and 1 deletion

branches_controller.rb app/controllers/projects/branches_controller.rb +4 -1

branches_controller_spec.rb spec/controllers/branches_controller_spec.rb +51 -0

No files found.
--- a/app/controllers/projects/branches_controller.rb
+++ b/app/controllers/projects/branches_controller.rb
 class Projects::BranchesController < Projects::ApplicationController
+  include ActionView::Helpers::SanitizeHelper
  # Authorize
  before_filter :require_non_empty_project

@@ -16,8 +17,10 @@ class Projects::BranchesController < Projects::ApplicationController
  end

  def create
+    branch_name = sanitize(strip_tags(params[:branch_name]))
+    ref = sanitize(strip_tags(params[:ref]))
    result = CreateBranchService.new(project, current_user).
-        execute(params[:branch_name], params[:ref])
+        execute(branch_name, ref)

    if result[:status] == :success
      @branch = result[:branch]

--- a/spec/controllers/branches_controller_spec.rb
+++ b/spec/controllers/branches_controller_spec.rb
+require 'spec_helper'
+
+describe Projects::BranchesController do
+  let(:project) { create(:project) }
+  let(:user)    { create(:user) }
+
+  before do
+    sign_in(user)
+
+    project.team << [user, :master]
+
+    project.stub(:branches).and_return(['master', 'foo/bar/baz'])
+    project.stub(:tags).and_return(['v1.0.0', 'v2.0.0'])
+    controller.instance_variable_set(:@project, project)
+  end
+
+  describe "POST create" do
+    render_views
+
+    before {
+      post :create,
+        project_id: project.to_param,
+        branch_name: branch,
+        ref: ref
+    }
+
+    context "valid branch name, valid source" do
+      let(:branch) { "merge_branch" }
+      let(:ref) { "master" }
+      it { should redirect_to("/#{project.path_with_namespace}/tree/merge_branch") }
+    end
+
+    context "invalid branch name, valid ref" do
+      let(:branch) { "<script>alert('merge');</script>" }
+      let(:ref) { "master" }
+      it { should redirect_to("/#{project.path_with_namespace}/tree/alert('merge');") }
+    end
+
+    context "valid branch name, invalid ref" do
+      let(:branch) { "merge_branch" }
+      let(:ref) { "<script>alert('ref');</script>" }
+      it { should render_template("new") }
+    end
+
+    context "invalid branch name, invalid ref" do
+      let(:branch) { "<script>alert('merge');</script>" }
+      let(:ref) { "<script>alert('ref');</script>" }
+      it { should render_template("new") }
+    end
+  end
+end