diff options
| author | Douwe Maan <douwe@gitlab.com> | 2017-04-10 16:55:31 +0000 |
|---|---|---|
| committer | Lin Jen-Shin <godfat@godfat.org> | 2017-05-04 20:02:49 +0800 |
| commit | ef14ec6634c6735784d7947a1ea13874a6c97654 (patch) | |
| tree | 5b1f289814b33c4e3d1e9f44bd89c91ec81173c6 /app | |
| parent | 6ecd901bed3172fd31611a03a102209d0cf8cb16 (diff) | |
| download | gitlab-ce-ef14ec6634c6735784d7947a1ea13874a6c97654.tar.gz | |
Merge branch 'rs-sanitize-submodule-urls' into 'security'
Sanitize submodule URLs before linking to them in the file tree view
See merge request !2084
Diffstat (limited to 'app')
| -rw-r--r-- | app/helpers/submodule_helper.rb | 46 |
1 files changed, 30 insertions, 16 deletions
diff --git a/app/helpers/submodule_helper.rb b/app/helpers/submodule_helper.rb index fb95f2b565e..b50b2578a8a 100644 --- a/app/helpers/submodule_helper.rb +++ b/app/helpers/submodule_helper.rb @@ -1,28 +1,30 @@ module SubmoduleHelper include Gitlab::ShellAdapter + VALID_SUBMODULE_PROTOCOLS = %w[http https git ssh].freeze + # links to files listing for submodule if submodule is a project on this server def submodule_links(submodule_item, ref = nil, repository = @repository) url = repository.submodule_url_for(ref, submodule_item.path) - return url, nil unless url =~ /([^\/:]+)\/([^\/]+\.git)\Z/ - - namespace = $1 - project = $2 - project.chomp!('.git') + if url =~ /([^\/:]+)\/([^\/]+\.git)\Z/ + namespace, project = $1, $2 + project.sub!(/\.git\z/, '') - if self_url?(url, namespace, project) - return namespace_project_path(namespace, project), - namespace_project_tree_path(namespace, project, - submodule_item.id) - elsif relative_self_url?(url) - relative_self_links(url, submodule_item.id) - elsif github_dot_com_url?(url) - standard_links('github.com', namespace, project, submodule_item.id) - elsif gitlab_dot_com_url?(url) - standard_links('gitlab.com', namespace, project, submodule_item.id) + if self_url?(url, namespace, project) + [namespace_project_path(namespace, project), + namespace_project_tree_path(namespace, project, submodule_item.id)] + elsif relative_self_url?(url) + relative_self_links(url, submodule_item.id) + elsif github_dot_com_url?(url) + standard_links('github.com', namespace, project, submodule_item.id) + elsif gitlab_dot_com_url?(url) + standard_links('gitlab.com', namespace, project, submodule_item.id) + else + [sanitize_submodule_url(url), nil] + end else - return url, nil + [sanitize_submodule_url(url), nil] end end @@ -71,4 +73,16 @@ module SubmoduleHelper namespace_project_tree_path(namespace, base, commit) ] end + + def sanitize_submodule_url(url) + uri = URI.parse(url) + + if uri.scheme.in?(VALID_SUBMODULE_PROTOCOLS) + uri.to_s + else + nil + end + rescue URI::InvalidURIError + nil + end end |