BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
ed662aa6
Commit
ed662aa6
authored
Apr 10, 2017
by
Douwe Maan
Committed by
Lin Jen-Shin
May 04, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Merge branch 'rs-sanitize-submodule-urls' into 'security'
Sanitize submodule URLs before linking to them in the file tree view See merge request !2084
parent
8da103e4
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
46 additions
and
16 deletions
+46
-16
submodule_helper.rb
app/helpers/submodule_helper.rb
+30
-16
rs-sanitize-submodule-urls.yml
changelogs/unreleased/rs-sanitize-submodule-urls.yml
+4
-0
submodule_helper_spec.rb
spec/helpers/submodule_helper_spec.rb
+12
-0
No files found.
app/helpers/submodule_helper.rb
View file @
ed662aa6
module
SubmoduleHelper
include
Gitlab
::
ShellAdapter
VALID_SUBMODULE_PROTOCOLS
=
%w[http https git ssh]
.
freeze
# links to files listing for submodule if submodule is a project on this server
def
submodule_links
(
submodule_item
,
ref
=
nil
,
repository
=
@repository
)
url
=
repository
.
submodule_url_for
(
ref
,
submodule_item
.
path
)
return
url
,
nil
unless
url
=~
/([^\/:]+)\/([^\/]+\.git)\Z/
namespace
=
$1
project
=
$2
project
.
chomp!
(
'.git'
)
if
url
=~
/([^\/:]+)\/([^\/]+\.git)\Z/
namespace
,
project
=
$1
,
$2
project
.
sub!
(
/\.git\z/
,
''
)
if
self_url?
(
url
,
namespace
,
project
)
return
namespace_project_path
(
namespace
,
project
),
namespace_project_tree_path
(
namespace
,
project
,
submodule_item
.
id
)
elsif
relative_self_url?
(
url
)
relative_self_links
(
url
,
submodule_item
.
id
)
elsif
github_dot_com_url?
(
url
)
standard_links
(
'github.com'
,
namespace
,
project
,
submodule_item
.
id
)
elsif
gitlab_dot_com_url?
(
url
)
standard_links
(
'gitlab.com'
,
namespace
,
project
,
submodule_item
.
id
)
if
self_url?
(
url
,
namespace
,
project
)
[
namespace_project_path
(
namespace
,
project
),
namespace_project_tree_path
(
namespace
,
project
,
submodule_item
.
id
)]
elsif
relative_self_url?
(
url
)
relative_self_links
(
url
,
submodule_item
.
id
)
elsif
github_dot_com_url?
(
url
)
standard_links
(
'github.com'
,
namespace
,
project
,
submodule_item
.
id
)
elsif
gitlab_dot_com_url?
(
url
)
standard_links
(
'gitlab.com'
,
namespace
,
project
,
submodule_item
.
id
)
else
[
sanitize_submodule_url
(
url
),
nil
]
end
else
return
url
,
nil
[
sanitize_submodule_url
(
url
),
nil
]
end
end
...
...
@@ -71,4 +73,16 @@ module SubmoduleHelper
namespace_project_tree_path
(
namespace
,
base
,
commit
)
]
end
def
sanitize_submodule_url
(
url
)
uri
=
URI
.
parse
(
url
)
if
uri
.
scheme
.
in?
(
VALID_SUBMODULE_PROTOCOLS
)
uri
.
to_s
else
nil
end
rescue
URI
::
InvalidURIError
nil
end
end
changelogs/unreleased/rs-sanitize-submodule-urls.yml
0 → 100644
View file @
ed662aa6
---
title
:
Sanitize submodule URLs before linking to them in the file tree view
merge_request
:
author
:
spec/helpers/submodule_helper_spec.rb
View file @
ed662aa6
...
...
@@ -105,6 +105,18 @@ describe SubmoduleHelper do
end
context
'submodule on unsupported'
do
it
'sanitizes unsupported protocols'
do
stub_url
(
'javascript:alert("XSS");'
)
expect
(
helper
.
submodule_links
(
submodule_item
)).
to
eq
([
nil
,
nil
])
end
it
'sanitizes unsupported protocols disguised as a repository URL'
do
stub_url
(
'javascript:alert("XSS");foo/bar.git'
)
expect
(
helper
.
submodule_links
(
submodule_item
)).
to
eq
([
nil
,
nil
])
end
it
'returns original'
do
stub_url
(
'http://mygitserver.com/gitlab-org/gitlab-ce'
)
expect
(
submodule_links
(
submodule_item
)).
to
eq
([
repo
.
submodule_url_for
,
nil
])
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment