Skip to content

G
gitlab-ce
Commit e1f3fd2b authored by Dominic Couture's avatar Dominic Couture
Browse files
Options

Escape branch names in push instructions 

Changelog: security
parent 0cc6a229
Hide whitespace changes
Inline Side-by-side
Showing with 20 additions and 4 deletions
app/views/projects/empty.html.haml
View file @ e1f3fd2b
- @content_class = "limit-container-width" unless fluid_layout - @content_class = "limit-container-width" unless fluid_layout
- default_branch_name = @project.default_branch_or_main - default_branch_name = @project.default_branch_or_main
- escaped_default_branch_name = default_branch_name.shellescape
- @skip_current_level_breadcrumb = true - @skip_current_level_breadcrumb = true
= render partial: 'flash_messages', locals: { project: @project } = render partial: 'flash_messages', locals: { project: @project }
...@@ -42,25 +43,25 @@ ...@@ -42,25 +43,25 @@
:preserve :preserve
git clone #{ content_tag(:span, default_url_to_repo, class: 'js-clone')} git clone #{ content_tag(:span, default_url_to_repo, class: 'js-clone')}
cd #{h @project.path} cd #{h @project.path}
git switch -c #{h default_branch_name} git switch -c #{h escaped_default_branch_name}
touch README.md touch README.md
git add README.md git add README.md
git commit -m "add README" git commit -m "add README"
- if @project.can_current_user_push_to_default_branch? - if @project.can_current_user_push_to_default_branch?
%span>< %span><
git push -u origin #{h default_branch_name } git push -u origin #{h escaped_default_branch_name }
%h5= _('Push an existing folder') %h5= _('Push an existing folder')
%pre.bg-light %pre.bg-light
:preserve :preserve
cd existing_folder cd existing_folder
git init --initial-branch=#{h default_branch_name} git init --initial-branch=#{h escaped_default_branch_name}
git remote add origin #{ content_tag(:span, default_url_to_repo, class: 'js-clone')} git remote add origin #{ content_tag(:span, default_url_to_repo, class: 'js-clone')}
git add . git add .
git commit -m "Initial commit" git commit -m "Initial commit"
- if @project.can_current_user_push_to_default_branch? - if @project.can_current_user_push_to_default_branch?
%span>< %span><
git push -u origin #{h default_branch_name } git push -u origin #{h escaped_default_branch_name }
%h5= _('Push an existing Git repository') %h5= _('Push an existing Git repository')
%pre.bg-light %pre.bg-light
......
spec/views/projects/empty.html.haml_spec.rb
View file @ e1f3fd2b
...@@ -25,6 +25,21 @@ RSpec.describe 'projects/empty' do ...@@ -25,6 +25,21 @@ RSpec.describe 'projects/empty' do
expect(rendered).to have_content("git clone") expect(rendered).to have_content("git clone")
end end
context 'when default branch name contains special shell characters' do
let(:branch_name) { ';rm -rf /' }
before do
allow(project).to receive(:default_branch_or_main).and_return(branch_name)
end
it 'escapes the default branch name' do
render
expect(rendered).not_to have_content(branch_name)
expect(rendered).to have_content(branch_name.shellescape)
end
end
end end
context 'when user can not push code on the project' do context 'when user can not push code on the project' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7