Add filter param sanitization

2019-08-06 17:18:53 +01:00 · 2019-08-06 17:18:53 +01:00 · 485b8b86ed
parent 94e1404c4b
commit 485b8b86ed
3 changed files with 10 additions and 4 deletions
--- a/app/controllers/import/bitbucket_server_controller.rb
+++ b/app/controllers/import/bitbucket_server_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class Import::BitbucketServerController < Import::BaseController
+  include ActionView::Helpers::SanitizeHelper
+
  before_action :verify_bitbucket_server_import_enabled
  before_action :bitbucket_auth, except: [:new, :configure]
  before_action :validate_import_params, only: [:create]
@ -57,7 +59,7 @@ class Import::BitbucketServerController < Import::BaseController

  # rubocop: disable CodeReuse/ActiveRecord
  def status
-    @collection = bitbucket_client.repos(page_offset: page_offset, limit: limit_per_page, filter: params[:filter])
+    @collection = bitbucket_client.repos(page_offset: page_offset, limit: limit_per_page, filter: sanitized_filter_param)
    @repos, @incompatible_repos = @collection.partition { |repo| repo.valid? }

    # Use the import URL to filter beyond what BaseService#find_already_added_projects
@ -147,4 +149,8 @@ class Import::BitbucketServerController < Import::BaseController
  def limit_per_page
    BitbucketServer::Paginator::PAGE_LENGTH
  end
+
+  def sanitized_filter_param
+    sanitize(params[:filter])
+  end
 end
--- a/app/views/import/bitbucket_server/status.html.haml
+++ b/app/views/import/bitbucket_server/status.html.haml
@ -23,7 +23,7 @@

 .input-btn-group.float-right
  = form_tag status_import_bitbucket_server_path, :method => 'get' do
-    = text_field_tag :filter, params[:filter], class: 'form-control append-bottom-10', placeholder: _('Filter your projects by name'), size: 40, autoFocus: true
+    = text_field_tag :filter, sanitize(params[:filter]), class: 'form-control append-bottom-10', placeholder: _('Filter your projects by name'), size: 40, autoFocus: true

 .table-responsive.prepend-top-10
  %table.table.import-jobs
--- a/doc/user/project/import/bitbucket_server.md
+++ b/doc/user/project/import/bitbucket_server.md
@ -32,8 +32,8 @@ Import your projects from Bitbucket Server to GitLab with minimal effort.
 1. Attachments in Markdown are currently not imported.
 1. Task lists are not imported.
 1. Emoji reactions are not imported
-1. Project filtering does not support fuzzy search (only starts with or full
-   match strings are currently supported)
+1. Project filtering does not support fuzzy search (only `starts with` or `full
+   match strings` are currently supported)

 ## How it works