kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add filter param sanitization

This commit is contained in:
George Koltsov 2019-08-06 17:18:53 +01:00
parent 94e1404c4b
commit 485b8b86ed
3 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/controllers/import/bitbucket_server_controller.rb
View File

@ -1,6 +1,8 @@
# frozen_string_literal: true # frozen_string_literal: true
class Import::BitbucketServerController < Import::BaseController class Import::BitbucketServerController < Import::BaseController
include ActionView::Helpers::SanitizeHelper
before_action :verify_bitbucket_server_import_enabled before_action :verify_bitbucket_server_import_enabled
before_action :bitbucket_auth, except: [:new, :configure] before_action :bitbucket_auth, except: [:new, :configure]
before_action :validate_import_params, only: [:create] before_action :validate_import_params, only: [:create]
@ -57,7 +59,7 @@ class Import::BitbucketServerController < Import::BaseController
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
def status def status
@collection = bitbucket_client.repos(page_offset: page_offset, limit: limit_per_page, filter: params[:filter]) @collection = bitbucket_client.repos(page_offset: page_offset, limit: limit_per_page, filter: sanitized_filter_param)
@repos, @incompatible_repos = @collection.partition { |repo| repo.valid? } @repos, @incompatible_repos = @collection.partition { |repo| repo.valid? }
# Use the import URL to filter beyond what BaseService#find_already_added_projects # Use the import URL to filter beyond what BaseService#find_already_added_projects
@ -147,4 +149,8 @@ class Import::BitbucketServerController < Import::BaseController
def limit_per_page def limit_per_page
BitbucketServer::Paginator::PAGE_LENGTH BitbucketServer::Paginator::PAGE_LENGTH
end end
def sanitized_filter_param
sanitize(params[:filter])
end
end end

2
app/views/import/bitbucket_server/status.html.haml
View File

@ -23,7 +23,7 @@
.input-btn-group.float-right .input-btn-group.float-right
= form_tag status_import_bitbucket_server_path, :method => 'get' do = form_tag status_import_bitbucket_server_path, :method => 'get' do
= text_field_tag :filter, params[:filter], class: 'form-control append-bottom-10', placeholder: _('Filter your projects by name'), size: 40, autoFocus: true = text_field_tag :filter, sanitize(params[:filter]), class: 'form-control append-bottom-10', placeholder: _('Filter your projects by name'), size: 40, autoFocus: true
.table-responsive.prepend-top-10 .table-responsive.prepend-top-10
%table.table.import-jobs %table.table.import-jobs

4
doc/user/project/import/bitbucket_server.md
View File

@ -32,8 +32,8 @@ Import your projects from Bitbucket Server to GitLab with minimal effort.
1. Attachments in Markdown are currently not imported. 1. Attachments in Markdown are currently not imported.
1. Task lists are not imported. 1. Task lists are not imported.
1. Emoji reactions are not imported 1. Emoji reactions are not imported
1. Project filtering does not support fuzzy search (only starts with or full 1. Project filtering does not support fuzzy search (only `starts with` or `full
match strings are currently supported) match strings` are currently supported)
## How it works ## How it works