From 6cf7dd625a7db143c146de1b146cba7dbcbc2576 Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Fri, 10 Apr 2015 18:27:42 +0200 Subject: Fix persistent XSS vulnerability around profile website URLs. --- CHANGELOG | 2 ++ app/models/user.rb | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 0878c03207b..3c119a93d36 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,8 @@ Please view this file on the master branch, on stable branches it's out of date. v 7.10.0 (unreleased) + - Fix persistent XSS vulnerability around profile website URLs. + - Fix broken file browsing with a submodule that contains a relative link (Stan Hu) - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu) - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu) - Add ability to configure Reply-To address in gitlab.yml (Stan Hu) diff --git a/app/models/user.rb b/app/models/user.rb index 515f29ea0ba..e2b6757bc4d 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -486,13 +486,13 @@ class User < ActiveRecord::Base end def full_website_url - return "http://#{website_url}" if website_url !~ /^https?:\/\// + return "http://#{website_url}" if website_url !~ /\Ahttps?:\/\// website_url end def short_website_url - website_url.gsub(/https?:\/\//, '') + website_url.sub(/\Ahttps?:\/\//, '') end def all_ssh_keys -- cgit v1.2.1 From 0ece6bd82839d0c9e3e27b65a6a201771f09190e Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Fri, 10 Apr 2015 18:30:02 +0200 Subject: Use `\A` and `\z` in regexes instead of `^` and `$`. --- app/controllers/application_controller.rb | 2 +- app/helpers/application_helper.rb | 2 +- app/helpers/gitlab_markdown_helper.rb | 4 ++-- app/helpers/submodule_helper.rb | 2 +- app/models/project_services/irker_service.rb | 2 +- app/models/repository.rb | 4 ++-- app/services/create_tag_service.rb | 4 +--- app/workers/post_receive.rb | 4 ++-- config/initializers/devise.rb | 2 +- 9 files changed, 12 insertions(+), 14 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 80e983b5314..0521a9ef8cf 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -153,7 +153,7 @@ class ApplicationController < ActionController::Base end def method_missing(method_sym, *arguments, &block) - if method_sym.to_s =~ /^authorize_(.*)!$/ + if method_sym.to_s =~ /\Aauthorize_(.*)!\z/ authorize_project!($1.to_sym) else super diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 3f3509bb18a..b5b0015542c 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -125,7 +125,7 @@ module ApplicationHelper # If reference is commit id - we should add it to branch/tag selectbox if(@ref && !options.flatten.include?(@ref) && - @ref =~ /^[0-9a-zA-Z]{6,52}$/) + @ref =~ /\A[0-9a-zA-Z]{6,52}\z/) options << ['Commit', [@ref]] end diff --git a/app/helpers/gitlab_markdown_helper.rb b/app/helpers/gitlab_markdown_helper.rb index 17266656a4e..aa1de2f50ef 100644 --- a/app/helpers/gitlab_markdown_helper.rb +++ b/app/helpers/gitlab_markdown_helper.rb @@ -13,7 +13,7 @@ module GitlabMarkdownHelper def link_to_gfm(body, url, html_options = {}) return "" if body.blank? - escaped_body = if body =~ /^\ 1 uri.to_s diff --git a/app/models/repository.rb b/app/models/repository.rb index 72769498872..263a436d521 100644 --- a/app/models/repository.rb +++ b/app/models/repository.rb @@ -199,7 +199,7 @@ class Repository def changelog cache.fetch(:changelog) do tree(:head).blobs.find do |file| - file.name =~ /^(changelog|history)/i + file.name =~ /\A(changelog|history)/i end end end @@ -207,7 +207,7 @@ class Repository def license cache.fetch(:license) do tree(:head).blobs.find do |file| - file.name =~ /^license/i + file.name =~ /\Alicense/i end end end diff --git a/app/services/create_tag_service.rb b/app/services/create_tag_service.rb index 4115d689925..25f9e203246 100644 --- a/app/services/create_tag_service.rb +++ b/app/services/create_tag_service.rb @@ -13,9 +13,7 @@ class CreateTagService < BaseService return error('Tag already exists') end - if message - message.gsub!(/^\s+|\s+$/, '') - end + message.strip! if message repository.add_tag(tag_name, ref, message) new_tag = repository.find_tag(tag_name) diff --git a/app/workers/post_receive.rb b/app/workers/post_receive.rb index 0c3ee6ba4ff..33d8cc8861b 100644 --- a/app/workers/post_receive.rb +++ b/app/workers/post_receive.rb @@ -11,8 +11,8 @@ class PostReceive log("Check gitlab.yml config for correct gitlab_shell.repos_path variable. \"#{Gitlab.config.gitlab_shell.repos_path}\" does not match \"#{repo_path}\"") end - repo_path.gsub!(/\.git$/, "") - repo_path.gsub!(/^\//, "") + repo_path.gsub!(/\.git\z/, "") + repo_path.gsub!(/\A\//, "") project = Project.find_with_namespace(repo_path) diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 79abe3c695d..9dce495106f 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -208,7 +208,7 @@ Devise.setup do |config| if Gitlab::LDAP::Config.enabled? Gitlab.config.ldap.servers.values.each do |server| if server['allow_username_or_email_login'] - email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')} + email_stripping_proc = ->(name) {name.gsub(/@.*\z/,'')} else email_stripping_proc = ->(name) {name} end -- cgit v1.2.1 From 0988be4efa8c9db6b3adcecdbad97367e837961f Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Sat, 11 Apr 2015 11:40:51 +0200 Subject: Fix a whoopsie daisy in the changelog. --- CHANGELOG | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 3c119a93d36..d10fc81015d 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,7 +2,6 @@ Please view this file on the master branch, on stable branches it's out of date. v 7.10.0 (unreleased) - Fix persistent XSS vulnerability around profile website URLs. - - Fix broken file browsing with a submodule that contains a relative link (Stan Hu) - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu) - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu) - Add ability to configure Reply-To address in gitlab.yml (Stan Hu) -- cgit v1.2.1