Merge branch 'regex-start-of-string' into 'master'

Fix persistent XSS vulnerability around profile website URLs. Fixes gitlab/gitlab-ee#268 See merge request !1761

Merge branch 'regex-start-of-string' into 'master'
f2449144 · Dmitriy Zaporozhets · 9df14763 · 0988be4e · f2449144 · f2449144
Commit f2449144 authored Apr 12, 2015 by Dmitriy Zaporozhets
11 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.

 v 7.10.0 (unreleased)
  - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
+  - Fix persistent XSS vulnerability around profile website URLs.
  - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
  - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
  - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -153,7 +153,7 @@ class ApplicationController < ActionController::Base
  end

  def method_missing(method_sym, *arguments, &block)
-    if method_sym.to_s =~ /^authorize_(.*)!$/
+    if method_sym.to_s =~ /\Aauthorize_(.*)!\z/
      authorize_project!($1.to_sym)
    else
      super

--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -125,7 +125,7 @@ module ApplicationHelper

    # If reference is commit id - we should add it to branch/tag selectbox
    if(@ref && !options.flatten.include?(@ref) &&
-       @ref =~ /^[0-9a-zA-Z]{6,52}$/)
+       @ref =~ /\A[0-9a-zA-Z]{6,52}\z/)
      options << ['Commit', [@ref]]
    end


--- a/app/helpers/gitlab_markdown_helper.rb
+++ b/app/helpers/gitlab_markdown_helper.rb
@@ -13,7 +13,7 @@ module GitlabMarkdownHelper
  def link_to_gfm(body, url, html_options = {})
    return "" if body.blank?

-    escaped_body = if body =~ /^\<img/
+    escaped_body = if body =~ /\A\<img/
                     body
                   else
                     escape_once(body)
@@ -139,7 +139,7 @@ module GitlabMarkdownHelper
      @project.path_with_namespace,
      path_with_ref(file_path),
      file_path
-    ].compact.join("/").gsub(/^\/*|\/*$/, '') + id
+    ].compact.join("/").gsub(/\A\/*|\/*\z/, '') + id
  end

  def sanitize_slashes(path)

--- a/app/helpers/submodule_helper.rb
+++ b/app/helpers/submodule_helper.rb
@@ -44,7 +44,7 @@ module SubmoduleHelper

  def relative_self_url?(url)
    # (./)?(../repo.git) || (./)?(../../project/repo.git) )
-    url =~ /^((\.\/)?(\.\.\/))(?!(\.\.)|(.*\/)).*\.git\Z/ || url =~ /^((\.\/)?(\.\.\/){2})(?!(\.\.))([^\/]*)\/(?!(\.\.)|(.*\/)).*\.git\Z/
+    url =~ /\A((\.\/)?(\.\.\/))(?!(\.\.)|(.*\/)).*\.git\z/ || url =~ /\A((\.\/)?(\.\.\/){2})(?!(\.\.))([^\/]*)\/(?!(\.\.)|(.*\/)).*\.git\z/
  end

  def standard_links(host, namespace, project, commit)

--- a/app/models/project_services/irker_service.rb
+++ b/app/models/project_services/irker_service.rb
@@ -148,7 +148,7 @@ class IrkerService < Service

  def consider_uri(uri)
    # Authorize both irc://domain.com/#chan and irc://domain.com/chan
-    if uri.is_a?(URI) && uri.scheme[/^ircs?$/] && !uri.path.nil?
+    if uri.is_a?(URI) && uri.scheme[/^ircs?\z/] && !uri.path.nil?
      # Do not authorize irc://domain.com/
      if uri.fragment.nil? && uri.path.length > 1
        uri.to_s

--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@@ -199,7 +199,7 @@ class Repository
  def changelog
    cache.fetch(:changelog) do
      tree(:head).blobs.find do |file|
-        file.name =~ /^(changelog|history)/i
+        file.name =~ /\A(changelog|history)/i
      end
    end
  end
@@ -207,7 +207,7 @@ class Repository
  def license
    cache.fetch(:license) do
      tree(:head).blobs.find do |file|
-        file.name =~ /^license/i
+        file.name =~ /\Alicense/i
      end
    end
  end

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -486,13 +486,13 @@ class User < ActiveRecord::Base
  end

  def full_website_url
-    return "http://#{website_url}" if website_url !~ /^https?:\/\//
+    return "http://#{website_url}" if website_url !~ /\Ahttps?:\/\//

    website_url
  end

  def short_website_url
-    website_url.gsub(/https?:\/\//, '')
+    website_url.sub(/\Ahttps?:\/\//, '')
  end

  def all_ssh_keys

--- a/app/services/create_tag_service.rb
+++ b/app/services/create_tag_service.rb
@@ -13,9 +13,7 @@ class CreateTagService < BaseService
      return error('Tag already exists')
    end

-    if message
-      message.gsub!(/^\s+|\s+$/, '')
-    end
+    message.strip! if message

    repository.add_tag(tag_name, ref, message)
    new_tag = repository.find_tag(tag_name)

--- a/app/workers/post_receive.rb
+++ b/app/workers/post_receive.rb
@@ -11,8 +11,8 @@ class PostReceive
      log("Check gitlab.yml config for correct gitlab_shell.repos_path variable. \"#{Gitlab.config.gitlab_shell.repos_path}\" does not match \"#{repo_path}\"")
    end

-    repo_path.gsub!(/\.git$/, "")
-    repo_path.gsub!(/^\//, "")
+    repo_path.gsub!(/\.git\z/, "")
+    repo_path.gsub!(/\A\//, "")

    project = Project.find_with_namespace(repo_path)


--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -208,7 +208,7 @@ Devise.setup do |config|
  if Gitlab::LDAP::Config.enabled?
    Gitlab.config.ldap.servers.values.each do |server|
      if server['allow_username_or_email_login']
-        email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')}
+        email_stripping_proc = ->(name) {name.gsub(/@.*\z/,'')}
      else
        email_stripping_proc = ->(name) {name}
      end