Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
2f89c77e
Commit
2f89c77e
authored
Nov 08, 2018
by
Alessio Caiazza
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Cleanup stored XSS from environments table
parent
759c5296
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
46 additions
and
0 deletions
+46
-0
db/migrate/20181108091549_cleanup_environments_external_url.rb
...grate/20181108091549_cleanup_environments_external_url.rb
+18
-0
spec/migrations/cleanup_environments_external_url_spec.rb
spec/migrations/cleanup_environments_external_url_spec.rb
+28
-0
No files found.
db/migrate/20181108091549_cleanup_environments_external_url.rb
0 → 100644
View file @
2f89c77e
# frozen_string_literal: true
class
CleanupEnvironmentsExternalUrl
<
ActiveRecord
::
Migration
include
Gitlab
::
Database
::
MigrationHelpers
DOWNTIME
=
false
disable_ddl_transaction!
def
up
update_column_in_batches
(
:environments
,
:external_url
,
nil
)
do
|
table
,
query
|
query
.
where
(
table
[
:external_url
].
matches
(
'javascript://%'
))
end
end
def
down
end
end
spec/migrations/cleanup_environments_external_url_spec.rb
0 → 100644
View file @
2f89c77e
require
'spec_helper'
require
Rails
.
root
.
join
(
'db'
,
'migrate'
,
'20181108091549_cleanup_environments_external_url.rb'
)
describe
CleanupEnvironmentsExternalUrl
,
:migration
do
let
(
:environments
)
{
table
(
:environments
)
}
let
(
:invalid_entries
)
{
environments
.
where
(
environments
.
arel_table
[
:external_url
].
matches
(
'javascript://%'
))
}
let
(
:namespaces
)
{
table
(
:namespaces
)
}
let
(
:projects
)
{
table
(
:projects
)
}
before
do
namespace
=
namespaces
.
create
(
name:
'foo'
,
path:
'foo'
)
project
=
projects
.
create!
(
namespace_id:
namespace
.
id
)
environments
.
create!
(
id:
1
,
project_id:
project
.
id
,
name:
'poisoned'
,
slug:
'poisoned'
,
external_url:
'javascript://alert("1")'
)
end
it
'clears every environment with a javascript external_url'
do
expect
do
subject
.
up
end
.
to
change
{
invalid_entries
.
count
}.
from
(
1
).
to
(
0
)
end
it
'do not removes environments'
do
expect
do
subject
.
up
end
.
not_to
change
{
environments
.
count
}
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment