Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
22d7c137
Commit
22d7c137
authored
Oct 07, 2018
by
Stan Hu
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Reject invalid branch names in repository compare controller
Closes #51003
parent
c3389c80
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
46 additions
and
0 deletions
+46
-0
app/controllers/projects/compare_controller.rb
app/controllers/projects/compare_controller.rb
+17
-0
changelogs/unreleased/sh-handle-invalid-comparison.yml
changelogs/unreleased/sh-handle-invalid-comparison.yml
+5
-0
spec/controllers/projects/compare_controller_spec.rb
spec/controllers/projects/compare_controller_spec.rb
+24
-0
No files found.
app/controllers/projects/compare_controller.rb
View file @
22d7c137
...
@@ -16,6 +16,8 @@ class Projects::CompareController < Projects::ApplicationController
...
@@ -16,6 +16,8 @@ class Projects::CompareController < Projects::ApplicationController
before_action
:define_diff_notes_disabled
,
only:
[
:show
,
:diff_for_path
]
before_action
:define_diff_notes_disabled
,
only:
[
:show
,
:diff_for_path
]
before_action
:define_commits
,
only:
[
:show
,
:diff_for_path
,
:signatures
]
before_action
:define_commits
,
only:
[
:show
,
:diff_for_path
,
:signatures
]
before_action
:merge_request
,
only:
[
:index
,
:show
]
before_action
:merge_request
,
only:
[
:index
,
:show
]
# Validation
before_action
:validate_refs!
def
index
def
index
end
end
...
@@ -63,6 +65,21 @@ class Projects::CompareController < Projects::ApplicationController
...
@@ -63,6 +65,21 @@ class Projects::CompareController < Projects::ApplicationController
private
private
def
valid_ref?
(
ref_name
)
return
true
unless
ref_name
.
present?
Gitlab
::
GitRefValidator
.
validate
(
ref_name
)
end
def
validate_refs!
valid
=
[
head_ref
,
start_ref
].
map
{
|
ref
|
valid_ref?
(
ref
)
}
return
if
valid
.
all?
flash
[
:alert
]
=
"Invalid branch name"
redirect_to
project_compare_index_path
(
@project
)
end
def
compare
def
compare
return
@compare
if
defined?
(
@compare
)
return
@compare
if
defined?
(
@compare
)
...
...
changelogs/unreleased/sh-handle-invalid-comparison.yml
0 → 100644
View file @
22d7c137
---
title
:
Reject invalid branch names in repository compare controller
merge_request
:
22186
author
:
type
:
fixed
spec/controllers/projects/compare_controller_spec.rb
View file @
22d7c137
...
@@ -97,6 +97,30 @@ describe Projects::CompareController do
...
@@ -97,6 +97,30 @@ describe Projects::CompareController do
expect
(
assigns
(
:commits
)).
to
eq
([])
expect
(
assigns
(
:commits
)).
to
eq
([])
end
end
end
end
context
'when the target ref is invalid'
do
let
(
:target_ref
)
{
"master%' AND 2554=4423 AND '%'='"
}
let
(
:source_ref
)
{
"improve%2Fawesome"
}
it
'shows a flash message and redirects'
do
show_request
expect
(
flash
[
:alert
]).
to
eq
(
'Invalid branch name'
)
expect
(
response
).
to
have_http_status
(
302
)
end
end
context
'when the source ref is invalid'
do
let
(
:source_ref
)
{
"master%' AND 2554=4423 AND '%'='"
}
let
(
:target_ref
)
{
"improve%2Fawesome"
}
it
'shows a flash message and redirects'
do
show_request
expect
(
flash
[
:alert
]).
to
eq
(
'Invalid branch name'
)
expect
(
response
).
to
have_http_status
(
302
)
end
end
end
end
describe
'GET diff_for_path'
do
describe
'GET diff_for_path'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment