Commit f2449144 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'regex-start-of-string' into 'master'

Fix persistent XSS vulnerability around profile website URLs.

Fixes gitlab/gitlab-ee#268

See merge request !1761
parents 9df14763 0988be4e
......@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 7.10.0 (unreleased)
- Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
- Fix persistent XSS vulnerability around profile website URLs.
- Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
- Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
- Add ability to configure Reply-To address in gitlab.yml (Stan Hu)
......
......@@ -153,7 +153,7 @@ class ApplicationController < ActionController::Base
end
def method_missing(method_sym, *arguments, &block)
if method_sym.to_s =~ /^authorize_(.*)!$/
if method_sym.to_s =~ /\Aauthorize_(.*)!\z/
authorize_project!($1.to_sym)
else
super
......
......@@ -125,7 +125,7 @@ module ApplicationHelper
# If reference is commit id - we should add it to branch/tag selectbox
if(@ref && !options.flatten.include?(@ref) &&
@ref =~ /^[0-9a-zA-Z]{6,52}$/)
@ref =~ /\A[0-9a-zA-Z]{6,52}\z/)
options << ['Commit', [@ref]]
end
......
......@@ -13,7 +13,7 @@ module GitlabMarkdownHelper
def link_to_gfm(body, url, html_options = {})
return "" if body.blank?
escaped_body = if body =~ /^\<img/
escaped_body = if body =~ /\A\<img/
body
else
escape_once(body)
......@@ -139,7 +139,7 @@ module GitlabMarkdownHelper
@project.path_with_namespace,
path_with_ref(file_path),
file_path
].compact.join("/").gsub(/^\/*|\/*$/, '') + id
].compact.join("/").gsub(/\A\/*|\/*\z/, '') + id
end
def sanitize_slashes(path)
......
......@@ -44,7 +44,7 @@ module SubmoduleHelper
def relative_self_url?(url)
# (./)?(../repo.git) || (./)?(../../project/repo.git) )
url =~ /^((\.\/)?(\.\.\/))(?!(\.\.)|(.*\/)).*\.git\Z/ || url =~ /^((\.\/)?(\.\.\/){2})(?!(\.\.))([^\/]*)\/(?!(\.\.)|(.*\/)).*\.git\Z/
url =~ /\A((\.\/)?(\.\.\/))(?!(\.\.)|(.*\/)).*\.git\z/ || url =~ /\A((\.\/)?(\.\.\/){2})(?!(\.\.))([^\/]*)\/(?!(\.\.)|(.*\/)).*\.git\z/
end
def standard_links(host, namespace, project, commit)
......
......@@ -148,7 +148,7 @@ class IrkerService < Service
def consider_uri(uri)
# Authorize both irc://domain.com/#chan and irc://domain.com/chan
if uri.is_a?(URI) && uri.scheme[/^ircs?$/] && !uri.path.nil?
if uri.is_a?(URI) && uri.scheme[/^ircs?\z/] && !uri.path.nil?
# Do not authorize irc://domain.com/
if uri.fragment.nil? && uri.path.length > 1
uri.to_s
......
......@@ -199,7 +199,7 @@ class Repository
def changelog
cache.fetch(:changelog) do
tree(:head).blobs.find do |file|
file.name =~ /^(changelog|history)/i
file.name =~ /\A(changelog|history)/i
end
end
end
......@@ -207,7 +207,7 @@ class Repository
def license
cache.fetch(:license) do
tree(:head).blobs.find do |file|
file.name =~ /^license/i
file.name =~ /\Alicense/i
end
end
end
......
......@@ -486,13 +486,13 @@ class User < ActiveRecord::Base
end
def full_website_url
return "http://#{website_url}" if website_url !~ /^https?:\/\//
return "http://#{website_url}" if website_url !~ /\Ahttps?:\/\//
website_url
end
def short_website_url
website_url.gsub(/https?:\/\//, '')
website_url.sub(/\Ahttps?:\/\//, '')
end
def all_ssh_keys
......
......@@ -13,9 +13,7 @@ class CreateTagService < BaseService
return error('Tag already exists')
end
if message
message.gsub!(/^\s+|\s+$/, '')
end
message.strip! if message
repository.add_tag(tag_name, ref, message)
new_tag = repository.find_tag(tag_name)
......
......@@ -11,8 +11,8 @@ class PostReceive
log("Check gitlab.yml config for correct gitlab_shell.repos_path variable. \"#{Gitlab.config.gitlab_shell.repos_path}\" does not match \"#{repo_path}\"")
end
repo_path.gsub!(/\.git$/, "")
repo_path.gsub!(/^\//, "")
repo_path.gsub!(/\.git\z/, "")
repo_path.gsub!(/\A\//, "")
project = Project.find_with_namespace(repo_path)
......
......@@ -208,7 +208,7 @@ Devise.setup do |config|
if Gitlab::LDAP::Config.enabled?
Gitlab.config.ldap.servers.values.each do |server|
if server['allow_username_or_email_login']
email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')}
email_stripping_proc = ->(name) {name.gsub(/@.*\z/,'')}
else
email_stripping_proc = ->(name) {name}
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment