Merge branch 'sh-strip-github-pat-whitespace' into 'master'

Strip whitespace around GitHub personal access tokens Closes #46588 See merge request gitlab-org/gitlab-ce!22432
2018-10-18 07:35:05 +00:00 · 2018-10-18 07:35:05 +00:00 · 8aed9055a7
parent 4ef9bb6a04 3d82f20d1b
commit 8aed9055a7
3 changed files with 18 additions and 1 deletions
--- a/app/controllers/import/github_controller.rb
+++ b/app/controllers/import/github_controller.rb
@ -20,7 +20,7 @@ class Import::GithubController < Import::BaseController
  end

  def personal_access_token
-    session[access_token_key] = params[:personal_access_token]
+    session[access_token_key] = params[:personal_access_token]&.strip
    redirect_to status_import_url
  end

--- a/changelogs/unreleased/sh-strip-github-pat-whitespace.yml
+++ b/changelogs/unreleased/sh-strip-github-pat-whitespace.yml
@ -0,0 +1,5 @@
+---
+title: Strip whitespace around GitHub personal access tokens
+merge_request: 22432
+author:
+type: fixed
--- a/spec/support/controllers/githubish_import_controller_shared_examples.rb
+++ b/spec/support/controllers/githubish_import_controller_shared_examples.rb
@ -22,6 +22,18 @@ shared_examples 'a GitHub-ish import controller: POST personal_access_token' do
    expect(session[:"#{provider}_access_token"]).to eq(token)
    expect(controller).to redirect_to(status_import_url)
  end
+
+  it "strips access token with spaces" do
+    token = 'asdfasdf9876'
+
+    allow_any_instance_of(Gitlab::LegacyGithubImport::Client)
+      .to receive(:user).and_return(true)
+
+    post :personal_access_token, personal_access_token: "  #{token} "
+
+    expect(session[:"#{provider}_access_token"]).to eq(token)
+    expect(controller).to redirect_to(status_import_url)
+  end
 end

 shared_examples 'a GitHub-ish import controller: GET new' do