From f28a12a559ef5492b583f0ae5dff5dcb49c7afe1 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Fri, 12 Dec 2014 13:15:42 +0200 Subject: Add strict validation to snippet file names Signed-off-by: Dmitriy Zaporozhets --- app/models/snippet.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'app/models/snippet.rb') diff --git a/app/models/snippet.rb b/app/models/snippet.rb index a47fbca3260..44fbff345b4 100644 --- a/app/models/snippet.rb +++ b/app/models/snippet.rb @@ -29,7 +29,9 @@ class Snippet < ActiveRecord::Base validates :author, presence: true validates :title, presence: true, length: { within: 0..255 } - validates :file_name, presence: true, length: { within: 0..255 } + validates :file_name, presence: true, length: { within: 0..255 }, + format: { with: Gitlab::Regex.path_regex, + message: Gitlab::Regex.path_regex_message } validates :content, presence: true validates :visibility_level, inclusion: { in: Gitlab::VisibilityLevel.values } @@ -72,7 +74,7 @@ class Snippet < ActiveRecord::Base def visibility_level_field visibility_level - end + end class << self def search(query) -- cgit v1.2.1 From 118bd7178b2be5f8a8fbcfa6af66e9e6d299b658 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Fri, 12 Dec 2014 13:28:48 +0200 Subject: Sanitize snippet file name in raw headers Signed-off-by: Dmitriy Zaporozhets --- app/models/snippet.rb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'app/models/snippet.rb') diff --git a/app/models/snippet.rb b/app/models/snippet.rb index 44fbff345b4..9aba42a0622 100644 --- a/app/models/snippet.rb +++ b/app/models/snippet.rb @@ -64,6 +64,10 @@ class Snippet < ActiveRecord::Base file_name end + def sanitized_file_name + file_name.gsub(/[^a-zA-Z0-9_\-\.]+/, '') + end + def mode nil end -- cgit v1.2.1 From cc39bca3fa71930421f1c46844b4d02d5ff93e8b Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Mon, 2 Feb 2015 21:15:44 -0800 Subject: Rubocop: Style/AlignHash enabled --- app/models/snippet.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'app/models/snippet.rb') diff --git a/app/models/snippet.rb b/app/models/snippet.rb index 9aba42a0622..a3222d29892 100644 --- a/app/models/snippet.rb +++ b/app/models/snippet.rb @@ -29,9 +29,11 @@ class Snippet < ActiveRecord::Base validates :author, presence: true validates :title, presence: true, length: { within: 0..255 } - validates :file_name, presence: true, length: { within: 0..255 }, - format: { with: Gitlab::Regex.path_regex, - message: Gitlab::Regex.path_regex_message } + validates :file_name, + presence: true, + length: { within: 0..255 }, + format: { with: Gitlab::Regex.path_regex, + message: Gitlab::Regex.path_regex_message } validates :content, presence: true validates :visibility_level, inclusion: { in: Gitlab::VisibilityLevel.values } -- cgit v1.2.1 From 62ed1c537e9b8aa85d354b377f18083fb71b8e05 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Thu, 5 Feb 2015 14:20:55 -0800 Subject: Explicitly define ordering in models using default_scope --- app/models/snippet.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'app/models/snippet.rb') diff --git a/app/models/snippet.rb b/app/models/snippet.rb index a3222d29892..82c1ab94446 100644 --- a/app/models/snippet.rb +++ b/app/models/snippet.rb @@ -16,6 +16,7 @@ # class Snippet < ActiveRecord::Base + include Sortable include Linguist::BlobHelper include Gitlab::VisibilityLevel -- cgit v1.2.1