Commit 485b8b86 authored by George Koltsov's avatar George Koltsov

Add filter param sanitization

parent 94e1404c
# frozen_string_literal: true # frozen_string_literal: true
class Import::BitbucketServerController < Import::BaseController class Import::BitbucketServerController < Import::BaseController
include ActionView::Helpers::SanitizeHelper
before_action :verify_bitbucket_server_import_enabled before_action :verify_bitbucket_server_import_enabled
before_action :bitbucket_auth, except: [:new, :configure] before_action :bitbucket_auth, except: [:new, :configure]
before_action :validate_import_params, only: [:create] before_action :validate_import_params, only: [:create]
...@@ -57,7 +59,7 @@ class Import::BitbucketServerController < Import::BaseController ...@@ -57,7 +59,7 @@ class Import::BitbucketServerController < Import::BaseController
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
def status def status
@collection = bitbucket_client.repos(page_offset: page_offset, limit: limit_per_page, filter: params[:filter]) @collection = bitbucket_client.repos(page_offset: page_offset, limit: limit_per_page, filter: sanitized_filter_param)
@repos, @incompatible_repos = @collection.partition { |repo| repo.valid? } @repos, @incompatible_repos = @collection.partition { |repo| repo.valid? }
# Use the import URL to filter beyond what BaseService#find_already_added_projects # Use the import URL to filter beyond what BaseService#find_already_added_projects
...@@ -147,4 +149,8 @@ class Import::BitbucketServerController < Import::BaseController ...@@ -147,4 +149,8 @@ class Import::BitbucketServerController < Import::BaseController
def limit_per_page def limit_per_page
BitbucketServer::Paginator::PAGE_LENGTH BitbucketServer::Paginator::PAGE_LENGTH
end end
def sanitized_filter_param
sanitize(params[:filter])
end
end end
...@@ -23,7 +23,7 @@ ...@@ -23,7 +23,7 @@
.input-btn-group.float-right .input-btn-group.float-right
= form_tag status_import_bitbucket_server_path, :method => 'get' do = form_tag status_import_bitbucket_server_path, :method => 'get' do
= text_field_tag :filter, params[:filter], class: 'form-control append-bottom-10', placeholder: _('Filter your projects by name'), size: 40, autoFocus: true = text_field_tag :filter, sanitize(params[:filter]), class: 'form-control append-bottom-10', placeholder: _('Filter your projects by name'), size: 40, autoFocus: true
.table-responsive.prepend-top-10 .table-responsive.prepend-top-10
%table.table.import-jobs %table.table.import-jobs
......
...@@ -32,8 +32,8 @@ Import your projects from Bitbucket Server to GitLab with minimal effort. ...@@ -32,8 +32,8 @@ Import your projects from Bitbucket Server to GitLab with minimal effort.
1. Attachments in Markdown are currently not imported. 1. Attachments in Markdown are currently not imported.
1. Task lists are not imported. 1. Task lists are not imported.
1. Emoji reactions are not imported 1. Emoji reactions are not imported
1. Project filtering does not support fuzzy search (only starts with or full 1. Project filtering does not support fuzzy search (only `starts with` or `full
match strings are currently supported) match strings` are currently supported)
## How it works ## How it works
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment