2018-11-09 13:39:43 -05:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2018-06-11 06:42:09 -04:00
|
|
|
module Gitlab
|
|
|
|
module Git
|
|
|
|
#
|
|
|
|
# PreReceiveError is special because its message gets displayed to users
|
2019-03-20 00:08:51 -04:00
|
|
|
# in the web UI. Because of this, we:
|
|
|
|
# - Only display errors that have been marked as safe with a prefix.
|
|
|
|
# This is to prevent leaking of stacktraces, or other sensitive info.
|
|
|
|
# - Sanitize the string of any XSS
|
2018-06-11 06:42:09 -04:00
|
|
|
class PreReceiveError < StandardError
|
2019-03-20 00:08:51 -04:00
|
|
|
SAFE_MESSAGE_PREFIXES = [
|
|
|
|
'GitLab:', # Messages from gitlab-shell
|
|
|
|
'GL-HOOK-ERR:' # Messages marked as safe by user
|
|
|
|
].freeze
|
|
|
|
|
2019-05-05 06:19:14 -04:00
|
|
|
SAFE_MESSAGE_REGEX = /^(#{SAFE_MESSAGE_PREFIXES.join('|')})\s*(?<safe_message>.+)/.freeze
|
2019-03-20 00:08:51 -04:00
|
|
|
|
2020-07-31 17:10:12 -04:00
|
|
|
attr_reader :raw_message
|
|
|
|
|
2020-10-13 11:08:53 -04:00
|
|
|
def initialize(message = '', fallback_message: '')
|
2020-07-31 17:10:12 -04:00
|
|
|
@raw_message = message
|
|
|
|
|
2020-10-13 11:08:53 -04:00
|
|
|
sanitized_msg = sanitize(message)
|
|
|
|
|
|
|
|
if sanitized_msg.present?
|
|
|
|
super(sanitized_msg)
|
2020-07-31 17:10:12 -04:00
|
|
|
else
|
2020-10-13 11:08:53 -04:00
|
|
|
super(fallback_message)
|
2020-07-31 17:10:12 -04:00
|
|
|
end
|
2018-06-11 06:42:09 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
# In gitaly-ruby we override this method to do nothing, so that
|
|
|
|
# sanitization happens in gitlab-rails only.
|
2019-03-20 00:08:51 -04:00
|
|
|
def sanitize(message)
|
|
|
|
return message if message.blank?
|
|
|
|
|
|
|
|
safe_messages = message.split("\n").map do |msg|
|
|
|
|
if (match = msg.match(SAFE_MESSAGE_REGEX))
|
|
|
|
match[:safe_message].presence
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
safe_messages = safe_messages.compact.join("\n")
|
|
|
|
|
|
|
|
Gitlab::Utils.nlbr(safe_messages)
|
2018-06-11 06:42:09 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|