diff options
| author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2017-03-06 20:26:58 +0200 |
|---|---|---|
| committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2017-03-07 09:43:35 +0200 |
| commit | e6cc7a0a38927d3874f076900308f46c533a4e1d (patch) | |
| tree | 6b47dc33e089f61d8e1e2c05d28df071ca3ce81f /app/validators | |
| parent | 6b2d4947a6300f006fd46360161687fd19e18659 (diff) | |
| download | gitlab-ce-e6cc7a0a38927d3874f076900308f46c533a4e1d.tar.gz | |
Restrict nested group names to prevent ambiguous routesdz-nested-groups-restrictions
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Diffstat (limited to 'app/validators')
| -rw-r--r-- | app/validators/namespace_validator.rb | 17 | ||||
| -rw-r--r-- | app/validators/project_path_validator.rb | 6 |
2 files changed, 16 insertions, 7 deletions
diff --git a/app/validators/namespace_validator.rb b/app/validators/namespace_validator.rb index eb3ed31b65b..03921db6947 100644 --- a/app/validators/namespace_validator.rb +++ b/app/validators/namespace_validator.rb @@ -35,12 +35,21 @@ class NamespaceValidator < ActiveModel::EachValidator users ].freeze + WILDCARD_ROUTES = %w[tree commits wikis new edit create update logs_tree + preview blob blame raw files create_dir find_file].freeze + + STRICT_RESERVED = (RESERVED + WILDCARD_ROUTES).freeze + def self.valid?(value) !reserved?(value) && follow_format?(value) end - def self.reserved?(value) - RESERVED.include?(value) + def self.reserved?(value, strict: false) + if strict + STRICT_RESERVED.include?(value) + else + RESERVED.include?(value) + end end def self.follow_format?(value) @@ -54,7 +63,9 @@ class NamespaceValidator < ActiveModel::EachValidator record.errors.add(attribute, Gitlab::Regex.namespace_regex_message) end - if reserved?(value) + strict = record.is_a?(Group) && record.parent_id + + if reserved?(value, strict: strict) record.errors.add(attribute, "#{value} is a reserved name") end end diff --git a/app/validators/project_path_validator.rb b/app/validators/project_path_validator.rb index 36279daa743..ee2ae65be7b 100644 --- a/app/validators/project_path_validator.rb +++ b/app/validators/project_path_validator.rb @@ -14,10 +14,8 @@ class ProjectPathValidator < ActiveModel::EachValidator # without tree as reserved name routing can match 'group/project' as group name, # 'tree' as project name and 'deploy_keys' as route. # - RESERVED = (NamespaceValidator::RESERVED - - %w[dashboard help ci admin search notes services assets profile public] + - %w[tree commits wikis new edit create update logs_tree - preview blob blame raw files create_dir find_file]).freeze + RESERVED = (NamespaceValidator::STRICT_RESERVED - + %w[dashboard help ci admin search notes services assets profile public]).freeze def self.valid?(value) !reserved?(value) |