Merge pull request #7382 from Razer6/git_ref_validation

Validate branch/tag-names and references WebUI, API

app/controllers/projects/branches_controller.rb

@@ -17,9 +17,17 @@ class Projects::BranchesController < Projects::ApplicationController
   end
 
   def create
-    @branch = CreateBranchService.new.execute(project, params[:branch_name], params[:ref], current_user)
-
-    redirect_to project_tree_path(@project, @branch.name)
+    result = CreateBranchService.new.execute(project,
+                                             params[:branch_name],
+                                             params[:ref],
+                                             current_user)
+    if result[:status] == :success
+      @branch = result[:branch]
+      redirect_to project_tree_path(@project, @branch.name)
+    else
+      @error = result[:message]
+      render action: 'new'
+    end
   end
 
   def destroy

app/controllers/projects/tags_controller.rb

@@ -13,10 +13,15 @@ class Projects::TagsController < Projects::ApplicationController
   end
 
   def create
-    @tag = CreateTagService.new.execute(@project, params[:tag_name],
-                                        params[:ref], current_user)
-
-    redirect_to project_tags_path(@project)
+    result = CreateTagService.new.execute(@project, params[:tag_name],
+                                          params[:ref], current_user)
+    if result[:status] == :success
+      @tag = result[:tag]
+      redirect_to project_tags_path(@project)
+    else
+      @error = result[:message]
+      render action: 'new'
+    end
   end
 
   def destroy

app/services/create_branch_service.rb

 class CreateBranchService
   def execute(project, branch_name, ref, current_user)
+    valid_branch = Gitlab::GitRefValidator.validate(branch_name)
+    if valid_branch == false
+      return error('Branch name invalid')
+    end
+
     repository = project.repository
+    existing_branch = repository.find_branch(branch_name)
+    if existing_branch
+      return error('Branch already exists')
+    end
+
     repository.add_branch(branch_name, ref)
     new_branch = repository.find_branch(branch_name)
 
     if new_branch
       Event.create_ref_event(project, current_user, new_branch, 'add')
+      return success(new_branch)
+    else
+      return error('Invalid reference name')
     end
+  end
+
+  def error(message)
+    {
+      message: message,
+      status: :error
+    }
+  end
 
-    new_branch
+  def success(branch)
+    {
+      branch: branch,
+      status: :success
+    }
   end
 end

app/services/create_tag_service.rb

 class CreateTagService
   def execute(project, tag_name, ref, current_user)
+    valid_tag = Gitlab::GitRefValidator.validate(tag_name)
+    if valid_tag == false
+      return error('Tag name invalid')
+    end
+
     repository = project.repository
+    existing_tag = repository.find_tag(tag_name)
+    if existing_tag
+      return error('Tag already exists')
+    end
+
     repository.add_tag(tag_name, ref)
     new_tag = repository.find_tag(tag_name)
 
     if new_tag
       Event.create_ref_event(project, current_user, new_tag, 'add', 'refs/tags')
+      return success(new_tag)
+    else
+      return error('Invalid reference name')
     end
+  end
+
+  def error(message)
+    {
+      message: message,
+      status: :error
+    }
+  end
 
-    new_tag
+  def success(branch)
+    {
+      tag: branch,
+      status: :success
+    }
   end
 end

app/services/delete_branch_service.rb

@@ -5,21 +5,21 @@ class DeleteBranchService
 
     # No such branch
     unless branch
-      return error('No such branch')
+      return error('No such branch', 404)
     end
 
     if branch_name == repository.root_ref
-      return error('Cannot remove HEAD branch')
+      return error('Cannot remove HEAD branch', 405)
     end
 
     # Dont allow remove of protected branch
     if project.protected_branch?(branch_name)
-      return error('Protected branch cant be removed')
+      return error('Protected branch cant be removed', 405)
     end
 
     # Dont allow user to remove branch if he is not allowed to push
     unless current_user.can?(:push_code, project)
-      return error('You dont have push access to repo')
+      return error('You dont have push access to repo', 405)
     end
 
     if repository.rm_branch(branch_name)
@@ -30,9 +30,10 @@ class DeleteBranchService
     end
   end
 
-  def error(message)
+  def error(message, return_code = 400)
     {
       message: message,
+      return_code: return_code,
       state: :error
     }
   end

app/views/projects/branches/new.html.haml

+- if @error
+  .alert.alert-danger
+    %button{ type: "button", class: "close", "data-dismiss" => "alert"} ×
+    = @error
 %h3.page-title
   %i.icon-code-fork
   New branch
@@ -5,11 +9,11 @@
   .form-group
     = label_tag :branch_name, 'Name for new branch', class: 'control-label'
     .col-sm-10
-      = text_field_tag :branch_name, nil, placeholder: 'enter new branch name', required: true, tabindex: 1, class: 'form-control'
+      = text_field_tag :branch_name, params[:branch_name], placeholder: 'enter new branch name', required: true, tabindex: 1, class: 'form-control'
   .form-group
     = label_tag :ref, 'Create from', class: 'control-label'
     .col-sm-10
-      = text_field_tag :ref, nil, placeholder: 'existing branch name, tag or commit SHA', required: true, tabindex: 2, class: 'form-control'
+      = text_field_tag :ref, params[:ref], placeholder: 'existing branch name, tag or commit SHA', required: true, tabindex: 2, class: 'form-control'
   .form-actions
     = submit_tag 'Create branch', class: 'btn btn-create', tabindex: 3
     = link_to 'Cancel', project_branches_path(@project), class: 'btn btn-cancel'

app/views/projects/tags/new.html.haml

+- if @error
+  .alert.alert-danger
+    %button{ type: "button", class: "close", "data-dismiss" => "alert"} ×
+    = @error
 %h3.page-title
   %i.icon-code-fork
   New tag
@@ -5,11 +9,11 @@
   .form-group
     = label_tag :tag_name, 'Name for new tag', class: 'control-label'
     .col-sm-10
-      = text_field_tag :tag_name, nil, placeholder: 'v3.0.1', required: true, tabindex: 1, class: 'form-control'
+      = text_field_tag :tag_name, params[:tag_name], placeholder: 'v3.0.1', required: true, tabindex: 1, class: 'form-control'
   .form-group
     = label_tag :ref, 'Create from', class: 'control-label'
     .col-sm-10
-      = text_field_tag :ref, nil, placeholder: 'master', required: true, tabindex: 2, class: 'form-control'
+      = text_field_tag :ref, params[:ref], placeholder: 'master', required: true, tabindex: 2, class: 'form-control'
       .light Branch name or commit SHA
   .form-actions
     = submit_tag 'Create tag', class: 'btn btn-create', tabindex: 3

doc/api/branches.md

@@ -196,6 +196,8 @@ Parameters:
 }
 ```
 
+It return 200 if succeed or 400 if failed with error message explaining reason.
+
 ## Delete repository branch
 
 ```
@@ -207,4 +209,5 @@ Parameters:
 - `id` (required) - The ID of a project
 - `branch` (required) - The name of the branch
 
-It return 200 if succeed or 405 if failed with error message explaining reason.
+It return 200 if succeed, 404 if the branch to be deleted does not exist
+or 400 for other reasons. In case of an error, an explaining message is provided.

doc/api/repositories.md

@@ -71,6 +71,9 @@ Parameters:
 ]
 ```
 
+It returns 200 if the operation succeed. In case of an error,
+405 with an explaining error message is returned.
+
 ## List repository tree
 
 Get a list of repository files and directories in a project.

features/project/commits/branches.feature

@@ -15,7 +15,7 @@ Feature: Project Browse branches
   Scenario: I create a branch
     Given I visit project branches page
     And I click new branch link
-    When I submit new branch form
+    And I submit new branch form
     Then I should see new branch created
 
   @javascript
@@ -23,3 +23,21 @@ Feature: Project Browse branches
     Given I visit project branches page
     And I click branch 'improve/awesome' delete link
     Then I should not see branch 'improve/awesome'
+
+  Scenario: I create a branch with invalid name
+    Given I visit project branches page
+    And I click new branch link
+    And I submit new branch form with invalid name
+    Then I should see new an error that branch is invalid
+
+  Scenario: I create a branch with invalid reference
+    Given I visit project branches page
+    And I click new branch link
+    And I submit new branch form with invalid reference
+    Then I should see new an error that ref is invalid
+
+  Scenario: I create a branch that already exists
+    Given I visit project branches page
+    And I click new branch link
+    And I submit new branch form with branch that already exists
+    Then I should see new an error that branch already exists

features/project/commits/tags.feature

@@ -7,5 +7,25 @@ Feature: Project Browse tags
   Scenario: I can see all git tags
     Then I should see "Shop" all tags list
 
+  Scenario: I create a tag
+    And I click new tag link
+    And I submit new tag form
+    Then I should see new tag created
+
+  Scenario: I create a tag with invalid name
+    And I click new tag link
+    And I submit new tag form with invalid name
+    Then I should see new an error that tag is invalid
+
+  Scenario: I create a tag with invalid reference
+    And I click new tag link
+    And I submit new tag form with invalid reference
+    Then I should see new an error that tag ref is invalid
+
+  Scenario: I create a tag that already exists
+    And I click new tag link
+    And I submit new tag form with tag that already exists
+    Then I should see new an error that tag already exists
+
   # @wip
   # Scenario: I can download project by tag

features/steps/project/browse_branches.rb

@@ -38,10 +38,38 @@ class ProjectBrowseBranches < Spinach::FeatureSteps
     click_button 'Create branch'
   end
 
+  step 'I submit new branch form with invalid name' do
+    fill_in 'branch_name', with: '1.0 stable'
+    fill_in 'ref', with: 'master'
+    click_button 'Create branch'
+  end
+
+  step 'I submit new branch form with invalid reference' do
+    fill_in 'branch_name', with: 'foo'
+    fill_in 'ref', with: 'foo'
+    click_button 'Create branch'
+  end
+
+  step 'I submit new branch form with branch that already exists' do
+    fill_in 'branch_name', with: 'master'
+    fill_in 'ref', with: 'master'
+    click_button 'Create branch'
+  end
+
   step 'I should see new branch created' do
-    within '.tree-ref-holder' do
-      page.should have_content 'deploy_keys'
-    end
+    page.should have_content 'deploy_keys'
+  end
+
+  step 'I should see new an error that branch is invalid' do
+    page.should have_content 'Branch name invalid'
+  end
+
+  step 'I should see new an error that ref is invalid' do
+    page.should have_content 'Invalid reference name'
+  end
+
+  step 'I should see new an error that branch already exists' do
+    page.should have_content 'Branch already exists'
   end
 
   step "I click branch 'improve/awesome' delete link" do

features/steps/project/browse_tags.rb

@@ -3,8 +3,52 @@ class ProjectBrowseTags < Spinach::FeatureSteps
   include SharedProject
   include SharedPaths
 
-  Then 'I should see "Shop" all tags list' do
+  step 'I should see "Shop" all tags list' do
     page.should have_content "Tags"
     page.should have_content "v1.0.0"
   end
+
+  step 'I click new tag link' do
+    click_link 'New tag'
+  end
+
+  step 'I submit new tag form' do
+    fill_in 'tag_name', with: 'v7.0'
+    fill_in 'ref', with: 'master'
+    click_button 'Create tag'
+  end
+
+  step 'I submit new tag form with invalid name' do
+    fill_in 'tag_name', with: 'v 1.0'
+    fill_in 'ref', with: 'master'
+    click_button 'Create tag'
+  end
+
+  step 'I submit new tag form with invalid reference' do
+    fill_in 'tag_name', with: 'foo'
+    fill_in 'ref', with: 'foo'
+    click_button 'Create tag'
+  end
+
+  step 'I submit new tag form with tag that already exists' do
+    fill_in 'tag_name', with: 'v1.0.0'
+    fill_in 'ref', with: 'master'
+    click_button 'Create tag'
+  end
+
+  step 'I should see new tag created' do
+    page.should have_content 'v7.0'
+  end
+
+  step 'I should see new an error that tag is invalid' do
+    page.should have_content 'Tag name invalid'
+  end
+
+  step 'I should see new an error that tag ref is invalid' do
+    page.should have_content 'Invalid reference name'
+  end
+
+  step 'I should see new an error that tag already exists' do
+    page.should have_content 'Tag already exists'
+  end
 end

lib/api/branches.rb

@@ -80,9 +80,17 @@ module API
       #   POST /projects/:id/repository/branches
       post ":id/repository/branches" do
         authorize_push_project
-        @branch = CreateBranchService.new.execute(user_project, params[:branch_name], params[:ref], current_user)
-
-        present @branch, with: Entities::RepoObject, project: user_project
+        result = CreateBranchService.new.execute(user_project,
+                                                 params[:branch_name],
+                                                 params[:ref],
+                                                 current_user)
+        if result[:status] == :success
+          present result[:branch],
+                  with: Entities::RepoObject,
+                  project: user_project
+        else
+          render_api_error!(result[:message], 400)
+        end
       end
 
       # Delete branch
@@ -99,7 +107,7 @@ module API
         if result[:state] == :success
           true
         else
-          render_api_error!(result[:message], 405)
+          render_api_error!(result[:message], result[:return_code])
         end
       end
     end

lib/api/repositories.rb

@@ -36,10 +36,15 @@ module API
       #   POST /projects/:id/repository/tags
       post ':id/repository/tags' do
         authorize_push_project
-        @tag = CreateTagService.new.execute(user_project, params[:tag_name],
-                                            params[:ref], current_user)
-
-        present @tag, with: Entities::RepoObject, project: user_project
+        result = CreateTagService.new.execute(user_project, params[:tag_name],
+                                              params[:ref], current_user)
+        if result[:status] == :success
+          present result[:tag],
+                  with: Entities::RepoObject,
+                  project: user_project
+        else
+          render_api_error!(result[:message], 400)
+        end
       end
 
       # Get a project repository tree

lib/gitlab/git_ref_validator.rb

+module Gitlab
+  module GitRefValidator
+    extend self
+    # Validates a given name against the git reference specification
+    #
+    # Returns true for a valid reference name, false otherwise
+    def validate(ref_name)
+      system *%W(git check-ref-format refs/#{ref_name})
+    end
+  end
+end

spec/lib/git_ref_validator_spec.rb

+require 'spec_helper'
+
+describe Gitlab::GitRefValidator do
+  it { Gitlab::GitRefValidator.validate('feature/new').should be_true }
+  it { Gitlab::GitRefValidator.validate('implement_@all').should be_true }
+  it { Gitlab::GitRefValidator.validate('my_new_feature').should be_true }
+  it { Gitlab::GitRefValidator.validate('#1').should be_true }
+  it { Gitlab::GitRefValidator.validate('feature/~new/').should be_false }
+  it { Gitlab::GitRefValidator.validate('feature/^new/').should be_false }
+  it { Gitlab::GitRefValidator.validate('feature/:new/').should be_false }
+  it { Gitlab::GitRefValidator.validate('feature/?new/').should be_false }
+  it { Gitlab::GitRefValidator.validate('feature/*new/').should be_false }
+  it { Gitlab::GitRefValidator.validate('feature/[new/').should be_false }
+  it { Gitlab::GitRefValidator.validate('feature/new/').should be_false }
+  it { Gitlab::GitRefValidator.validate('feature/new.').should be_false }
+  it { Gitlab::GitRefValidator.validate('feature\@{').should be_false }
+  it { Gitlab::GitRefValidator.validate('feature\new').should be_false }
+  it { Gitlab::GitRefValidator.validate('feature//new').should be_false }
+  it { Gitlab::GitRefValidator.validate('feature new').should be_false }
+end

spec/requests/api/branches_spec.rb

@@ -94,22 +94,50 @@ describe API::API, api: true  do
   describe "POST /projects/:id/repository/branches" do
     it "should create a new branch" do
       post api("/projects/#{project.id}/repository/branches", user),
-        branch_name: branch_name,
-        ref: branch_sha
+           branch_name: 'feature1',
+           ref: branch_sha
 
       response.status.should == 201
 
-      json_response['name'].should == branch_name
+      json_response['name'].should == 'feature1'
       json_response['commit']['id'].should == branch_sha
     end
 
     it "should deny for user without push access" do
       post api("/projects/#{project.id}/repository/branches", user2),
-        branch_name: branch_name,
-        ref: branch_sha
-
+           branch_name: branch_name,
+           ref: branch_sha
       response.status.should == 403
     end
+
+    it 'should return 400 if branch name is invalid' do
+      post api("/projects/#{project.id}/repository/branches", user),
+           branch_name: 'new design',
+           ref: branch_sha
+      response.status.should == 400
+      json_response['message'].should == 'Branch name invalid'
+    end
+
+    it 'should return 400 if branch already exists' do
+      post api("/projects/#{project.id}/repository/branches", user),
+           branch_name: 'new_design1',
+           ref: branch_sha
+      response.status.should == 201
+
+      post api("/projects/#{project.id}/repository/branches", user),
+           branch_name: 'new_design1',
+           ref: branch_sha
+      response.status.should == 400
+      json_response['message'].should == 'Branch already exists'
+    end
+
+    it 'should return 400 if ref name is invalid' do
+      post api("/projects/#{project.id}/repository/branches", user),
+           branch_name: 'new_design3',
+           ref: 'foo'
+      response.status.should == 400
+      json_response['message'].should == 'Invalid reference name'
+    end
   end
 
   describe "DELETE /projects/:id/repository/branches/:branch" do
@@ -120,6 +148,11 @@ describe API::API, api: true  do
       response.status.should == 200
     end
 
+    it 'should return 404 if branch not exists' do
+      delete api("/projects/#{project.id}/repository/branches/foobar", user)
+      response.status.should == 404
+    end
+
     it "should remove protected branch" do
       project.protected_branches.create(name: branch_name)
       delete api("/projects/#{project.id}/repository/branches/#{branch_name}", user)

spec/requests/api/repositories_spec.rb

@@ -25,20 +25,46 @@ describe API::API, api: true  do
   describe 'POST /projects/:id/repository/tags' do
     it 'should create a new tag' do
       post api("/projects/#{project.id}/repository/tags", user),
-           tag_name: 'v1.0.0',
+           tag_name: 'v2.0.0',
            ref: 'master'
-
       response.status.should == 201
-      json_response['name'].should == 'v1.0.0'
+      json_response['name'].should == 'v2.0.0'
     end
 
     it 'should deny for user without push access' do
       post api("/projects/#{project.id}/repository/tags", user2),
            tag_name: 'v1.0.0',
            ref: '621491c677087aa243f165eab467bfdfbee00be1'
-
       response.status.should == 403
     end
+
+    it 'should return 400 if tag name is invalid' do
+      post api("/projects/#{project.id}/repository/tags", user),
+           tag_name: 'v 1.0.0',
+           ref: 'master'
+      response.status.should == 400
+      json_response['message'].should == 'Tag name invalid'
+    end
+
+    it 'should return 400 if tag already exists' do
+      post api("/projects/#{project.id}/repository/tags", user),
+           tag_name: 'v8.0.0',
+           ref: 'master'
+      response.status.should == 201
+      post api("/projects/#{project.id}/repository/tags", user),
+           tag_name: 'v8.0.0',
+           ref: 'master'
+      response.status.should == 400
+      json_response['message'].should == 'Tag already exists'
+    end
+
+    it 'should return 400 if ref name is invalid' do
+      post api("/projects/#{project.id}/repository/tags", user),
+           tag_name: 'mytag',
+           ref: 'foo'
+      response.status.should == 400
+      json_response['message'].should == 'Invalid reference name'
+    end
   end
 
   describe "GET /projects/:id/repository/tree" do