Merge branch 'dcouture-escape-branch-name-init' into 'master'

Escape branch names in push instructions See merge request gitlab-org/gitlab!82448

Merge branch 'dcouture-escape-branch-name-init' into 'master'
Escape branch names in push instructions See merge request gitlab-org/gitlab!82448
9314cd3f · Nikola Milojevic · 390eb00c · e1f3fd2b · 9314cd3f · 9314cd3f
Commit 9314cd3f authored Mar 10, 2022 by Nikola Milojevic
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 4 deletions

app/views/projects/empty.html.haml app/views/projects/empty.html.haml +5 -4

spec/views/projects/empty.html.haml_spec.rb spec/views/projects/empty.html.haml_spec.rb +15 -0

No files found.
--- a/app/views/projects/empty.html.haml
+++ b/app/views/projects/empty.html.haml
 - @content_class = "limit-container-width" unless fluid_layout
 - default_branch_name = @project.default_branch_or_main
+- escaped_default_branch_name = default_branch_name.shellescape
 - @skip_current_level_breadcrumb = true

 = render partial: 'flash_messages', locals: { project: @project }
@@ -42,25 +43,25 @@
        :preserve
          git clone #{ content_tag(:span, default_url_to_repo, class: 'js-clone')}
          cd #{h @project.path}
-          git switch -c #{h default_branch_name}
+          git switch -c #{h escaped_default_branch_name}
          touch README.md
          git add README.md
          git commit -m "add README"
        - if @project.can_current_user_push_to_default_branch?
          %span><
-            git push -u origin #{h default_branch_name }
+            git push -u origin #{h escaped_default_branch_name }

      %h5= _('Push an existing folder')
      %pre.bg-light
        :preserve
          cd existing_folder
-          git init --initial-branch=#{h default_branch_name}
+          git init --initial-branch=#{h escaped_default_branch_name}
          git remote add origin #{ content_tag(:span, default_url_to_repo, class: 'js-clone')}
          git add .
          git commit -m "Initial commit"
        - if @project.can_current_user_push_to_default_branch?
          %span><
-            git push -u origin #{h default_branch_name }
+            git push -u origin #{h escaped_default_branch_name }

      %h5= _('Push an existing Git repository')
      %pre.bg-light

--- a/spec/views/projects/empty.html.haml_spec.rb
+++ b/spec/views/projects/empty.html.haml_spec.rb
@@ -25,6 +25,21 @@ RSpec.describe 'projects/empty' do

      expect(rendered).to have_content("git clone")
    end
+
+    context 'when default branch name contains special shell characters' do
+      let(:branch_name) { ';rm -rf /' }
+
+      before do
+        allow(project).to receive(:default_branch_or_main).and_return(branch_name)
+      end
+
+      it 'escapes the default branch name' do
+        render
+
+        expect(rendered).not_to have_content(branch_name)
+        expect(rendered).to have_content(branch_name.shellescape)
+      end
+    end
  end

  context 'when user can not push code on the project' do