Commit 6b2719e7 authored by Alex Kalderimis's avatar Alex Kalderimis

Merge branch 'manifest-unsafe-scheme' into 'master'

Disallow import url scheme to start with javascript

See merge request gitlab-org/gitlab!57071
parents eb3a3410 e251a51a
---
title: Validate import manifest url scheme
merge_request: 57071
author:
type: fixed
......@@ -47,6 +47,10 @@ module Gitlab
@errors << 'Make sure every <project> tag has name and path attributes.'
end
unless validate_scheme
@errors << 'Make sure the url does not start with javascript'
end
@errors.empty?
end
......@@ -64,6 +68,10 @@ module Gitlab
end
end
def validate_scheme
remote !~ /\Ajavascript/i
end
def repository_url(name)
Gitlab::Utils.append_path(remote, name)
end
......
......@@ -42,6 +42,15 @@ RSpec.describe 'Import multiple repositories by uploading a manifest file', :js
end
end
it 'renders an error if the remote url scheme starts with javascript' do
visit new_import_manifest_path
attach_file('manifest', Rails.root.join('spec/fixtures/unsafe_javascript.xml'))
click_on 'List available repositories'
expect(page).to have_content 'Make sure the url does not start with javascript'
end
it 'renders an error if invalid file was provided' do
visit new_import_manifest_path
......
<manifest>
<remote review="javascript://HelloTheGitlabSecurityTeam%0Aprompt(1)%0A" />
<project path="test1" name="manifest1" />
<project path="test2" name="manifest2" />
<project path="test3" name="manifest3" />
<project path="test4" name="manifest4" />
<project path="test5" name="manifest5" />
<project path="test6" name="manifest6" />
</manifest>
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment