diff options
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | app/models/application_setting.rb | 2 | ||||
| -rw-r--r-- | app/models/hooks/web_hook.rb | 2 | ||||
| -rw-r--r-- | app/models/project.rb | 2 | ||||
| -rw-r--r-- | app/models/project_services/bamboo_service.rb | 2 | ||||
| -rw-r--r-- | app/models/project_services/external_wiki_service.rb | 2 | ||||
| -rw-r--r-- | app/models/project_services/teamcity_service.rb | 2 |
7 files changed, 7 insertions, 6 deletions
diff --git a/CHANGELOG b/CHANGELOG index 09ee558112b..f544e63a124 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date. v 7.10.0 (unreleased) - Fix broken file browsing with a submodule that contains a relative link (Stan Hu) - Fix persistent XSS vulnerability around profile website URLs. + - Fix project import URL regex to prevent arbitary local repos from being imported. - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu) - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu) - Add ability to configure Reply-To address in gitlab.yml (Stan Hu) diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index 6e98c4c2f02..0d8365c4ff2 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -24,7 +24,7 @@ class ApplicationSetting < ActiveRecord::Base validates :home_page_url, allow_blank: true, - format: { with: URI::regexp(%w(http https)), message: "should be a valid url" }, + format: { with: /\A#{URI.regexp(%w(http https))}\z/, message: "should be a valid url" }, if: :home_page_url_column_exist validates_each :restricted_visibility_levels do |record, attr, value| diff --git a/app/models/hooks/web_hook.rb b/app/models/hooks/web_hook.rb index defef7216f2..315d96af1b9 100644 --- a/app/models/hooks/web_hook.rb +++ b/app/models/hooks/web_hook.rb @@ -28,7 +28,7 @@ class WebHook < ActiveRecord::Base default_timeout Gitlab.config.gitlab.webhook_timeout validates :url, presence: true, - format: { with: URI::regexp(%w(http https)), message: "should be a valid url" } + format: { with: /\A#{URI.regexp(%w(http https))}\z/, message: "should be a valid url" } def execute(data) parsed_url = URI.parse(url) diff --git a/app/models/project.rb b/app/models/project.rb index 5c310b4a8df..dcbafd76475 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -137,7 +137,7 @@ class Project < ActiveRecord::Base validates_uniqueness_of :name, scope: :namespace_id validates_uniqueness_of :path, scope: :namespace_id validates :import_url, - format: { with: URI::regexp(%w(ssh git http https)), message: 'should be a valid url' }, + format: { with: /\A#{URI.regexp(%w(ssh git http https))}\z/, message: 'should be a valid url' }, if: :import? validates :star_count, numericality: { greater_than_or_equal_to: 0 } validate :check_limit, on: :create diff --git a/app/models/project_services/bamboo_service.rb b/app/models/project_services/bamboo_service.rb index f968afe9fa8..d8aedbd2ab4 100644 --- a/app/models/project_services/bamboo_service.rb +++ b/app/models/project_services/bamboo_service.rb @@ -25,7 +25,7 @@ class BambooService < CiService validates :bamboo_url, presence: true, - format: { with: URI::regexp }, + format: { with: /\A#{URI.regexp}\z/ }, if: :activated? validates :build_key, presence: true, if: :activated? validates :username, diff --git a/app/models/project_services/external_wiki_service.rb b/app/models/project_services/external_wiki_service.rb index e521186798c..a199d0e86f2 100644 --- a/app/models/project_services/external_wiki_service.rb +++ b/app/models/project_services/external_wiki_service.rb @@ -18,7 +18,7 @@ class ExternalWikiService < Service prop_accessor :external_wiki_url validates :external_wiki_url, presence: true, - format: { with: URI::regexp }, + format: { with: /\A#{URI.regexp}\z/ }, if: :activated? def title diff --git a/app/models/project_services/teamcity_service.rb b/app/models/project_services/teamcity_service.rb index c26bc551352..3c002a1634b 100644 --- a/app/models/project_services/teamcity_service.rb +++ b/app/models/project_services/teamcity_service.rb @@ -25,7 +25,7 @@ class TeamcityService < CiService validates :teamcity_url, presence: true, - format: { with: URI::regexp }, if: :activated? + format: { with: /\A#{URI.regexp}\z/ }, if: :activated? validates :build_type, presence: true, if: :activated? validates :username, presence: true, |