Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
iv
gitlab-ce
Commits
cd828a65
Commit
cd828a65
authored
Nov 19, 2014
by
Jacob Vosmaer
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch '7-4-stable-sanitize' into '7-4-stable'
Sanitize fixes See merge request !1264
parents
85a9feab
3a58cc15
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
61 additions
and
3 deletions
+61
-3
app/controllers/projects/branches_controller.rb
app/controllers/projects/branches_controller.rb
+4
-1
app/helpers/commits_helper.rb
app/helpers/commits_helper.rb
+6
-2
spec/controllers/branches_controller_spec.rb
spec/controllers/branches_controller_spec.rb
+51
-0
No files found.
app/controllers/projects/branches_controller.rb
View file @
cd828a65
class
Projects::BranchesController
<
Projects
::
ApplicationController
class
Projects::BranchesController
<
Projects
::
ApplicationController
include
ActionView
::
Helpers
::
SanitizeHelper
# Authorize
# Authorize
before_filter
:authorize_read_project!
before_filter
:authorize_read_project!
before_filter
:require_non_empty_project
before_filter
:require_non_empty_project
...
@@ -17,8 +18,10 @@ class Projects::BranchesController < Projects::ApplicationController
...
@@ -17,8 +18,10 @@ class Projects::BranchesController < Projects::ApplicationController
end
end
def
create
def
create
branch_name
=
sanitize
(
strip_tags
(
params
[
:branch_name
]))
ref
=
sanitize
(
strip_tags
(
params
[
:ref
]))
result
=
CreateBranchService
.
new
(
project
,
current_user
).
result
=
CreateBranchService
.
new
(
project
,
current_user
).
execute
(
params
[
:branch_name
],
params
[
:ref
]
)
execute
(
branch_name
,
ref
)
if
result
[
:status
]
==
:success
if
result
[
:status
]
==
:success
@branch
=
result
[
:branch
]
@branch
=
result
[
:branch
]
redirect_to
project_tree_path
(
@project
,
@branch
.
name
)
redirect_to
project_tree_path
(
@project
,
@branch
.
name
)
...
...
app/helpers/commits_helper.rb
View file @
cd828a65
...
@@ -87,8 +87,8 @@ module CommitsHelper
...
@@ -87,8 +87,8 @@ module CommitsHelper
# avatar: true will prepend the avatar image
# avatar: true will prepend the avatar image
# size: size of the avatar image in px
# size: size of the avatar image in px
def
commit_person_link
(
commit
,
options
=
{})
def
commit_person_link
(
commit
,
options
=
{})
source_name
=
c
ommit
.
send
"
#{
options
[
:source
]
}
_name"
.
to_sym
source_name
=
c
lean
(
commit
.
send
"
#{
options
[
:source
]
}
_name"
.
to_sym
)
source_email
=
c
ommit
.
send
"
#{
options
[
:source
]
}
_email"
.
to_sym
source_email
=
c
lean
(
commit
.
send
"
#{
options
[
:source
]
}
_email"
.
to_sym
)
user
=
User
.
find_for_commit
(
source_email
,
source_name
)
user
=
User
.
find_for_commit
(
source_email
,
source_name
)
person_name
=
user
.
nil?
?
source_name
:
user
.
name
person_name
=
user
.
nil?
?
source_name
:
user
.
name
...
@@ -124,4 +124,8 @@ module CommitsHelper
...
@@ -124,4 +124,8 @@ module CommitsHelper
def
truncate_sha
(
sha
)
def
truncate_sha
(
sha
)
Commit
.
truncate_sha
(
sha
)
Commit
.
truncate_sha
(
sha
)
end
end
def
clean
(
string
)
Sanitize
.
clean
(
string
,
remove_contents:
true
)
end
end
end
spec/controllers/branches_controller_spec.rb
0 → 100644
View file @
cd828a65
require
'spec_helper'
describe
Projects
::
BranchesController
do
let
(
:project
)
{
create
(
:project
)
}
let
(
:user
)
{
create
(
:user
)
}
before
do
sign_in
(
user
)
project
.
team
<<
[
user
,
:master
]
project
.
stub
(
:branches
).
and_return
([
'master'
,
'foo/bar/baz'
])
project
.
stub
(
:tags
).
and_return
([
'v1.0.0'
,
'v2.0.0'
])
controller
.
instance_variable_set
(
:@project
,
project
)
end
describe
"POST create"
do
render_views
before
{
post
:create
,
project_id:
project
.
to_param
,
branch_name:
branch
,
ref:
ref
}
context
"valid branch name, valid source"
do
let
(
:branch
)
{
"merge_branch"
}
let
(
:ref
)
{
"master"
}
it
{
should
redirect_to
(
"/
#{
project
.
path_with_namespace
}
/tree/merge_branch"
)
}
end
context
"invalid branch name, valid ref"
do
let
(
:branch
)
{
"<script>alert('merge');</script>"
}
let
(
:ref
)
{
"master"
}
it
{
should
redirect_to
(
"/
#{
project
.
path_with_namespace
}
/tree/alert('merge');"
)
}
end
context
"valid branch name, invalid ref"
do
let
(
:branch
)
{
"merge_branch"
}
let
(
:ref
)
{
"<script>alert('ref');</script>"
}
it
{
should
render_template
(
"new"
)
}
end
context
"invalid branch name, invalid ref"
do
let
(
:branch
)
{
"<script>alert('merge');</script>"
}
let
(
:ref
)
{
"<script>alert('ref');</script>"
}
it
{
should
render_template
(
"new"
)
}
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment