Merge branch 'arbitrary-local-repo-import' into 'master'

Prevent arbitary local repos from being imported. Fixes gitlab/gitlab-ee#263. See merge request !1763

Merge branch 'arbitrary-local-repo-import' into 'master'
Prevent arbitary local repos from being imported. Fixes gitlab/gitlab-ee#263. See merge request !1763
8d9d63b2 · Dmitriy Zaporozhets · 73269a0a · 9e52a2dc · 8d9d63b2 · 8d9d63b2
Commit 8d9d63b2 authored Apr 12, 2015 by Dmitriy Zaporozhets
7 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 v 7.10.0 (unreleased)
  - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
  - Fix persistent XSS vulnerability around profile website URLs.
+  - Fix project import URL regex to prevent arbitary local repos from being imported.
  - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
  - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
  - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)

--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -24,7 +24,7 @@ class ApplicationSetting < ActiveRecord::Base

  validates :home_page_url,
    allow_blank: true,
-    format: { with: URI::regexp(%w(http https)), message: "should be a valid url" },
+    format: { with: /\A#{URI.regexp(%w(http https))}\z/, message: "should be a valid url" },
    if: :home_page_url_column_exist

  validates_each :restricted_visibility_levels do |record, attr, value|

--- a/app/models/hooks/web_hook.rb
+++ b/app/models/hooks/web_hook.rb
@@ -28,7 +28,7 @@ class WebHook < ActiveRecord::Base
  default_timeout Gitlab.config.gitlab.webhook_timeout

  validates :url, presence: true,
-                  format: { with: URI::regexp(%w(http https)), message: "should be a valid url" }
+                  format: { with: /\A#{URI.regexp(%w(http https))}\z/, message: "should be a valid url" }

  def execute(data)
    parsed_url = URI.parse(url)

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -137,7 +137,7 @@ class Project < ActiveRecord::Base
  validates_uniqueness_of :name, scope: :namespace_id
  validates_uniqueness_of :path, scope: :namespace_id
  validates :import_url,
-    format: { with: URI::regexp(%w(ssh git http https)), message: 'should be a valid url' },
+    format: { with: /\A#{URI.regexp(%w(ssh git http https))}\z/, message: 'should be a valid url' },
    if: :import?
  validates :star_count, numericality: { greater_than_or_equal_to: 0 }
  validate :check_limit, on: :create

--- a/app/models/project_services/bamboo_service.rb
+++ b/app/models/project_services/bamboo_service.rb
@@ -25,7 +25,7 @@ class BambooService < CiService

  validates :bamboo_url,
    presence: true,
-    format: { with: URI::regexp },
+    format: { with: /\A#{URI.regexp}\z/ },
    if: :activated?
  validates :build_key, presence: true, if: :activated?
  validates :username,

--- a/app/models/project_services/external_wiki_service.rb
+++ b/app/models/project_services/external_wiki_service.rb
@@ -18,7 +18,7 @@ class ExternalWikiService < Service
  prop_accessor :external_wiki_url
  validates :external_wiki_url,
            presence: true,
-            format: { with: URI::regexp },
+            format: { with: /\A#{URI.regexp}\z/ },
            if: :activated?

  def title

--- a/app/models/project_services/teamcity_service.rb
+++ b/app/models/project_services/teamcity_service.rb
@@ -25,7 +25,7 @@ class TeamcityService < CiService

  validates :teamcity_url,
    presence: true,
-    format: { with: URI::regexp }, if: :activated?
+    format: { with: /\A#{URI.regexp}\z/ }, if: :activated?
  validates :build_type, presence: true, if: :activated?
  validates :username,
    presence: true,