From 485b8b86edaeed1ba3a8bf55df23ca6cbc1f015b Mon Sep 17 00:00:00 2001 From: George Koltsov Date: Tue, 6 Aug 2019 17:18:53 +0100 Subject: [PATCH] Add filter param sanitization --- app/controllers/import/bitbucket_server_controller.rb | 8 +++++++- app/views/import/bitbucket_server/status.html.haml | 2 +- doc/user/project/import/bitbucket_server.md | 4 ++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/app/controllers/import/bitbucket_server_controller.rb b/app/controllers/import/bitbucket_server_controller.rb index 1956442b72b..dc72a4e4fd9 100644 --- a/app/controllers/import/bitbucket_server_controller.rb +++ b/app/controllers/import/bitbucket_server_controller.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true class Import::BitbucketServerController < Import::BaseController + include ActionView::Helpers::SanitizeHelper + before_action :verify_bitbucket_server_import_enabled before_action :bitbucket_auth, except: [:new, :configure] before_action :validate_import_params, only: [:create] @@ -57,7 +59,7 @@ class Import::BitbucketServerController < Import::BaseController # rubocop: disable CodeReuse/ActiveRecord def status - @collection = bitbucket_client.repos(page_offset: page_offset, limit: limit_per_page, filter: params[:filter]) + @collection = bitbucket_client.repos(page_offset: page_offset, limit: limit_per_page, filter: sanitized_filter_param) @repos, @incompatible_repos = @collection.partition { |repo| repo.valid? } # Use the import URL to filter beyond what BaseService#find_already_added_projects @@ -147,4 +149,8 @@ class Import::BitbucketServerController < Import::BaseController def limit_per_page BitbucketServer::Paginator::PAGE_LENGTH end + + def sanitized_filter_param + sanitize(params[:filter]) + end end diff --git a/app/views/import/bitbucket_server/status.html.haml b/app/views/import/bitbucket_server/status.html.haml index 1218462577a..aac09801d91 100644 --- a/app/views/import/bitbucket_server/status.html.haml +++ b/app/views/import/bitbucket_server/status.html.haml @@ -23,7 +23,7 @@ .input-btn-group.float-right = form_tag status_import_bitbucket_server_path, :method => 'get' do - = text_field_tag :filter, params[:filter], class: 'form-control append-bottom-10', placeholder: _('Filter your projects by name'), size: 40, autoFocus: true + = text_field_tag :filter, sanitize(params[:filter]), class: 'form-control append-bottom-10', placeholder: _('Filter your projects by name'), size: 40, autoFocus: true .table-responsive.prepend-top-10 %table.table.import-jobs diff --git a/doc/user/project/import/bitbucket_server.md b/doc/user/project/import/bitbucket_server.md index 5f426ed7153..28e211ee2ba 100644 --- a/doc/user/project/import/bitbucket_server.md +++ b/doc/user/project/import/bitbucket_server.md @@ -32,8 +32,8 @@ Import your projects from Bitbucket Server to GitLab with minimal effort. 1. Attachments in Markdown are currently not imported. 1. Task lists are not imported. 1. Emoji reactions are not imported -1. Project filtering does not support fuzzy search (only starts with or full - match strings are currently supported) +1. Project filtering does not support fuzzy search (only `starts with` or `full + match strings` are currently supported) ## How it works