Merge branch 'rs-sanitize-submodule-urls' into 'security'
Sanitize submodule URLs before linking to them in the file tree view See merge request !2084
This commit is contained in:
parent
da13d1af3e
commit
9ae401cf91
|
@ -1,28 +1,30 @@
|
|||
module SubmoduleHelper
|
||||
include Gitlab::ShellAdapter
|
||||
|
||||
VALID_SUBMODULE_PROTOCOLS = %w[http https git ssh].freeze
|
||||
|
||||
# links to files listing for submodule if submodule is a project on this server
|
||||
def submodule_links(submodule_item, ref = nil, repository = @repository)
|
||||
url = repository.submodule_url_for(ref, submodule_item.path)
|
||||
|
||||
return url, nil unless url =~ /([^\/:]+)\/([^\/]+(?:\.git)?)\Z/
|
||||
if url =~ /([^\/:]+)\/([^\/]+(?:\.git)?)\Z/
|
||||
namespace, project = $1, $2
|
||||
project.sub!(/\.git\z/, '')
|
||||
|
||||
namespace = $1
|
||||
project = $2
|
||||
project.chomp!('.git')
|
||||
|
||||
if self_url?(url, namespace, project)
|
||||
return namespace_project_path(namespace, project),
|
||||
namespace_project_tree_path(namespace, project,
|
||||
submodule_item.id)
|
||||
elsif relative_self_url?(url)
|
||||
relative_self_links(url, submodule_item.id)
|
||||
elsif github_dot_com_url?(url)
|
||||
standard_links('github.com', namespace, project, submodule_item.id)
|
||||
elsif gitlab_dot_com_url?(url)
|
||||
standard_links('gitlab.com', namespace, project, submodule_item.id)
|
||||
if self_url?(url, namespace, project)
|
||||
[namespace_project_path(namespace, project),
|
||||
namespace_project_tree_path(namespace, project, submodule_item.id)]
|
||||
elsif relative_self_url?(url)
|
||||
relative_self_links(url, submodule_item.id)
|
||||
elsif github_dot_com_url?(url)
|
||||
standard_links('github.com', namespace, project, submodule_item.id)
|
||||
elsif gitlab_dot_com_url?(url)
|
||||
standard_links('gitlab.com', namespace, project, submodule_item.id)
|
||||
else
|
||||
[sanitize_submodule_url(url), nil]
|
||||
end
|
||||
else
|
||||
return url, nil
|
||||
[sanitize_submodule_url(url), nil]
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -73,4 +75,16 @@ module SubmoduleHelper
|
|||
namespace_project_tree_path(namespace, base, commit)
|
||||
]
|
||||
end
|
||||
|
||||
def sanitize_submodule_url(url)
|
||||
uri = URI.parse(url)
|
||||
|
||||
if uri.scheme.in?(VALID_SUBMODULE_PROTOCOLS)
|
||||
uri.to_s
|
||||
else
|
||||
nil
|
||||
end
|
||||
rescue URI::InvalidURIError
|
||||
nil
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
title: Sanitize submodule URLs before linking to them in the file tree view
|
||||
merge_request:
|
||||
author:
|
|
@ -109,6 +109,18 @@ describe SubmoduleHelper do
|
|||
end
|
||||
|
||||
context 'submodule on unsupported' do
|
||||
it 'sanitizes unsupported protocols' do
|
||||
stub_url('javascript:alert("XSS");')
|
||||
|
||||
expect(helper.submodule_links(submodule_item)).to eq([nil, nil])
|
||||
end
|
||||
|
||||
it 'sanitizes unsupported protocols disguised as a repository URL' do
|
||||
stub_url('javascript:alert("XSS");foo/bar.git')
|
||||
|
||||
expect(helper.submodule_links(submodule_item)).to eq([nil, nil])
|
||||
end
|
||||
|
||||
it 'returns original' do
|
||||
stub_url('http://mygitserver.com/gitlab-org/gitlab-ce')
|
||||
expect(submodule_links(submodule_item)).to eq([repo.submodule_url_for, nil])
|
||||
|
|
Loading…
Reference in New Issue