Improve consistency: use file_path for API create/update/delete files

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Improve consistency: use file_path for API create/update/delete files
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
3bab1bd4 · Dmitriy Zaporozhets · 33eae334 · 3bab1bd4 · 3bab1bd4 · 3bab1bd4
Commit 3bab1bd4 authored Nov 20, 2013 by Dmitriy Zaporozhets
6 changed files
--- a/app/contexts/files/create_context.rb
+++ b/app/contexts/files/create_context.rb
@@ -15,18 +15,13 @@ module Files
        return error("You can only create files if you are on top of a branch")
      end
-      file_name = params[:file_name]
+      file_name = File.basename(path)
+      file_path = path
      unless file_name =~ Gitlab::Regex.path_regex
        return error("Your changes could not be commited, because file name contains not allowed characters")
      end
-      file_path = if path.blank?
-                    file_name
-                  else
-                    File.join(path, file_name)
-                  end
      blob = repository.blob_at(ref, file_path)
      if blob

--- a/app/controllers/projects/new_tree_controller.rb
+++ b/app/controllers/projects/new_tree_controller.rb
@@ -5,11 +5,12 @@ class Projects::NewTreeController < Projects::BaseTreeController
  end
  def update
-    result = Files::CreateContext.new(@project, current_user, params, @ref, @path).execute
+    file_path = File.join(@path, File.basename(params[:file_name]))
+    result = Files::CreateContext.new(@project, current_user, params, @ref, file_path).execute
    if result[:status] == :success
      flash[:notice] = "Your changes have been successfully commited"
-      redirect_to project_blob_path(@project, File.join(@id, params[:file_name]))
+      redirect_to project_blob_path(@project, File.join(@ref, file_path))
    else
      flash[:alert] = result[:error]
      render :show

--- a/doc/api/repositories.md
+++ b/doc/api/repositories.md
@@ -379,8 +379,7 @@ POST /projects/:id/repository/files
 Parameters:
-+ `file_name` (required) - The name of new file. Ex. class.rb
+ `file_path` (optional) - Full path to new file. Ex. lib/class.rb
-+ `file_path` (optional) - The path to new file. Ex. lib/
 + `branch_name` (required) - The name of branch
 + `content` (required) - File content
 + `commit_message` (required) - Commit message

--- a/lib/api/files.rb
+++ b/lib/api/files.rb
@@ -8,8 +8,7 @@ module API
      # Create new file in repository
      #
      # Parameters:
-      #   file_name (required) - The name of new file. Ex. class.rb
+      #   file_path (optional) - The path to new file. Ex. lib/class.rb
-      #   file_path (optional) - The path to new file. Ex. lib/
      #   branch_name (required) - The name of branch
      #   content (required) - File content
      #   commit_message (required) - Commit message
@@ -18,8 +17,8 @@ module API
      #   POST /projects/:id/repository/files
      #
      post ":id/repository/files" do
-        required_attributes! [:file_name, :branch_name, :content, :commit_message]
+        required_attributes! [:file_path, :branch_name, :content, :commit_message]
-        attrs = attributes_for_keys [:file_name, :file_path, :branch_name, :content, :commit_message]
+        attrs = attributes_for_keys [:file_path, :branch_name, :content, :commit_message]
        branch_name = attrs.delete(:branch_name)
        file_path = attrs.delete(:file_path)
        result = ::Files::CreateContext.new(user_project, current_user, attrs, branch_name, file_path).execute
@@ -28,7 +27,6 @@ module API
          status(201)
          {
-            file_name: attrs[:file_name],
            file_path: file_path,
            branch_name: branch_name
          }

--- a/lib/gitlab/satellite/files/new_file_action.rb
+++ b/lib/gitlab/satellite/files/new_file_action.rb
@@ -18,6 +18,13 @@ module Gitlab
          # update the file in the satellite's working dir
          file_path_in_satellite = File.join(repo.working_dir, file_path)
+          # Prevent relative links
+          unless File.absolute_path(file_path_in_satellite) == file_path_in_satellite
+            Gitlab::GitLogger.error("NewFileAction: Relative path not allowed")
+            return false
+          end
          File.open(file_path_in_satellite, 'w') { |f| f.write(content) }
          # add new file

--- a/spec/requests/api/files_spec.rb
+++ b/spec/requests/api/files_spec.rb
@@ -12,7 +12,7 @@ describe API::API do
  describe "POST /projects/:id/repository/files" do
    let(:valid_params) {
      {
-        file_name: 'newfile.rb',
+        file_path: 'newfile.rb',
        branch_name: 'master',
        content: 'puts 8',
        commit_message: 'Added newfile'
@@ -26,7 +26,7 @@ describe API::API do
      post api("/projects/#{project.id}/repository/files", user), valid_params
      response.status.should == 201
-      json_response['file_name'].should == 'newfile.rb'
+      json_response['file_path'].should == 'newfile.rb'
    end
    it "should return a 400 bad request if no params given" do