[Rails5] Use `safe_params` instead of `params` in `url_for` helpers
This commits replaces `params` with `safe_params` in `url_for` helpers to resolve security issues [1] and failing specs with the ``` ArgumentError: Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure. ``` error. [1]: https://gitlab.com/gitlab-org/gitlab-ce/issues/45168
This commit is contained in:
parent
ee189fd511
commit
350e26b8a6
|
@ -57,7 +57,7 @@ module IssuableCollections
|
|||
out_of_range = @issuables.current_page > total_pages # rubocop:disable Gitlab/ModuleWithInstanceVariables
|
||||
|
||||
if out_of_range
|
||||
redirect_to(url_for(params.merge(page: total_pages, only_path: true)))
|
||||
redirect_to(url_for(safe_params.merge(page: total_pages, only_path: true)))
|
||||
end
|
||||
|
||||
out_of_range
|
||||
|
|
|
@ -33,6 +33,6 @@ class Groups::ApplicationController < ApplicationController
|
|||
def build_canonical_path(group)
|
||||
params[:group_id] = group.to_param
|
||||
|
||||
url_for(params)
|
||||
url_for(safe_params)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -25,7 +25,7 @@ class Projects::ApplicationController < ApplicationController
|
|||
params[:namespace_id] = project.namespace.to_param
|
||||
params[:project_id] = project.to_param
|
||||
|
||||
url_for(params)
|
||||
url_for(safe_params)
|
||||
end
|
||||
|
||||
def repository
|
||||
|
|
|
@ -3,5 +3,5 @@
|
|||
#js-peek{ data: { env: Peek.env,
|
||||
request_id: Peek.request_id,
|
||||
peek_url: peek_routes.results_url,
|
||||
profile_url: url_for(params.merge(lineprofiler: 'true')) },
|
||||
profile_url: url_for(safe_params.merge(lineprofiler: 'true')) },
|
||||
class: Peek.env }
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
.files-changed-inner
|
||||
.inline-parallel-buttons.hidden-xs.hidden-sm
|
||||
- if !diffs_expanded? && diff_files.any? { |diff_file| diff_file.collapsed? }
|
||||
= link_to 'Expand all', url_for(params.merge(expanded: 1, format: nil)), class: 'btn btn-default'
|
||||
= link_to 'Expand all', url_for(safe_params.merge(expanded: 1, format: nil)), class: 'btn btn-default'
|
||||
- if show_whitespace_toggle
|
||||
- if current_controller?(:commit)
|
||||
= commit_diff_whitespace_link(diffs.project, @commit, class: 'hidden-xs')
|
||||
|
|
Loading…
Reference in New Issue