Commit 657f8ec7 authored by Douwe Maan's avatar Douwe Maan Committed by Bob Van Landuyt

Merge branch 'rs-sanitize-submodule-urls' into 'security'

Sanitize submodule URLs before linking to them in the file tree view

See merge request !2084
parent a294795f
module SubmoduleHelper module SubmoduleHelper
include Gitlab::ShellAdapter include Gitlab::ShellAdapter
VALID_SUBMODULE_PROTOCOLS = %w[http https git ssh].freeze
# links to files listing for submodule if submodule is a project on this server # links to files listing for submodule if submodule is a project on this server
def submodule_links(submodule_item, ref = nil, repository = @repository) def submodule_links(submodule_item, ref = nil, repository = @repository)
url = repository.submodule_url_for(ref, submodule_item.path) url = repository.submodule_url_for(ref, submodule_item.path)
return url, nil unless url =~ /([^\/:]+)\/([^\/]+(?:\.git)?)\Z/ if url =~ /([^\/:]+)\/([^\/]+(?:\.git)?)\Z/
namespace, project = $1, $2
namespace = $1 project.sub!(/\.git\z/, '')
project = $2
project.chomp!('.git')
if self_url?(url, namespace, project) if self_url?(url, namespace, project)
return namespace_project_path(namespace, project), [namespace_project_path(namespace, project),
namespace_project_tree_path(namespace, project, namespace_project_tree_path(namespace, project, submodule_item.id)]
submodule_item.id)
elsif relative_self_url?(url) elsif relative_self_url?(url)
relative_self_links(url, submodule_item.id) relative_self_links(url, submodule_item.id)
elsif github_dot_com_url?(url) elsif github_dot_com_url?(url)
...@@ -22,7 +21,10 @@ module SubmoduleHelper ...@@ -22,7 +21,10 @@ module SubmoduleHelper
elsif gitlab_dot_com_url?(url) elsif gitlab_dot_com_url?(url)
standard_links('gitlab.com', namespace, project, submodule_item.id) standard_links('gitlab.com', namespace, project, submodule_item.id)
else else
return url, nil [sanitize_submodule_url(url), nil]
end
else
[sanitize_submodule_url(url), nil]
end end
end end
...@@ -73,4 +75,16 @@ module SubmoduleHelper ...@@ -73,4 +75,16 @@ module SubmoduleHelper
namespace_project_tree_path(namespace, base, commit) namespace_project_tree_path(namespace, base, commit)
] ]
end end
def sanitize_submodule_url(url)
uri = URI.parse(url)
if uri.scheme.in?(VALID_SUBMODULE_PROTOCOLS)
uri.to_s
else
nil
end
rescue URI::InvalidURIError
nil
end
end end
---
title: Sanitize submodule URLs before linking to them in the file tree view
merge_request:
author:
...@@ -109,6 +109,18 @@ describe SubmoduleHelper do ...@@ -109,6 +109,18 @@ describe SubmoduleHelper do
end end
context 'submodule on unsupported' do context 'submodule on unsupported' do
it 'sanitizes unsupported protocols' do
stub_url('javascript:alert("XSS");')
expect(helper.submodule_links(submodule_item)).to eq([nil, nil])
end
it 'sanitizes unsupported protocols disguised as a repository URL' do
stub_url('javascript:alert("XSS");foo/bar.git')
expect(helper.submodule_links(submodule_item)).to eq([nil, nil])
end
it 'returns original' do it 'returns original' do
stub_url('http://mygitserver.com/gitlab-org/gitlab-ce') stub_url('http://mygitserver.com/gitlab-org/gitlab-ce')
expect(submodule_links(submodule_item)).to eq([repo.submodule_url_for, nil]) expect(submodule_links(submodule_item)).to eq([repo.submodule_url_for, nil])
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment