Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
5dc6c8f2
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
5dc6c8f2
编写于
6月 03, 2019
作者:
G
GitLab Release Tools Bot
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'security-60039' into 'master'
Disallow invalid MR branch name See merge request gitlab/gitlabhq!3052
上级
e5b88d88
c7e8f5c6
变更
8
显示空白变更内容
内联
并排
Showing
8 changed file
with
144 addition
and
33 deletion
+144
-33
app/models/merge_request.rb
app/models/merge_request.rb
+12
-0
changelogs/unreleased/security-60039.yml
changelogs/unreleased/security-60039.yml
+5
-0
lib/gitlab/git_ref_validator.rb
lib/gitlab/git_ref_validator.rb
+21
-2
spec/features/issuables/issuable_list_spec.rb
spec/features/issuables/issuable_list_spec.rb
+1
-1
spec/lib/gitlab/bitbucket_import/importer_spec.rb
spec/lib/gitlab/bitbucket_import/importer_spec.rb
+1
-0
spec/lib/gitlab/git_ref_validator_spec.rb
spec/lib/gitlab/git_ref_validator_spec.rb
+65
-27
spec/models/merge_request_spec.rb
spec/models/merge_request_spec.rb
+36
-0
spec/services/ci/create_pipeline_service_spec.rb
spec/services/ci/create_pipeline_service_spec.rb
+3
-3
未找到文件。
app/models/merge_request.rb
浏览文件 @
5dc6c8f2
...
@@ -588,6 +588,8 @@ class MergeRequest < ApplicationRecord
...
@@ -588,6 +588,8 @@ class MergeRequest < ApplicationRecord
return
return
end
end
[
:source_branch
,
:target_branch
].
each
{
|
attr
|
validate_branch_name
(
attr
)
}
if
opened?
if
opened?
similar_mrs
=
target_project
similar_mrs
=
target_project
.
merge_requests
.
merge_requests
...
@@ -608,6 +610,16 @@ class MergeRequest < ApplicationRecord
...
@@ -608,6 +610,16 @@ class MergeRequest < ApplicationRecord
end
end
end
end
def
validate_branch_name
(
attr
)
return
unless
changes_include?
(
attr
)
branch
=
read_attribute
(
attr
)
return
unless
branch
errors
.
add
(
attr
)
unless
Gitlab
::
GitRefValidator
.
validate_merge_request_branch
(
branch
)
end
def
validate_target_project
def
validate_target_project
return
true
if
target_project
.
merge_requests_enabled?
return
true
if
target_project
.
merge_requests_enabled?
...
...
changelogs/unreleased/security-60039.yml
0 → 100644
浏览文件 @
5dc6c8f2
---
title
:
Prevent invalid branch for merge request
merge_request
:
author
:
type
:
security
lib/gitlab/git_ref_validator.rb
浏览文件 @
5dc6c8f2
...
@@ -5,12 +5,15 @@
...
@@ -5,12 +5,15 @@
module
Gitlab
module
Gitlab
module
GitRefValidator
module
GitRefValidator
extend
self
extend
self
EXPANDED_PREFIXES
=
%w[refs/heads/ refs/remotes/]
.
freeze
DISALLOWED_PREFIXES
=
%w[-]
.
freeze
# Validates a given name against the git reference specification
# Validates a given name against the git reference specification
#
#
# Returns true for a valid reference name, false otherwise
# Returns true for a valid reference name, false otherwise
def
validate
(
ref_name
)
def
validate
(
ref_name
)
not_allowed_prefixes
=
%w(refs/heads/ refs/remotes/ -)
return
false
if
ref_name
.
start_with?
(
*
(
EXPANDED_PREFIXES
+
DISALLOWED_PREFIXES
))
return
false
if
ref_name
.
start_with?
(
*
not_allowed_prefixes
)
return
false
if
ref_name
==
'HEAD'
return
false
if
ref_name
==
'HEAD'
begin
begin
...
@@ -19,5 +22,21 @@ module Gitlab
...
@@ -19,5 +22,21 @@ module Gitlab
return
false
return
false
end
end
end
end
def
validate_merge_request_branch
(
ref_name
)
return
false
if
ref_name
.
start_with?
(
*
DISALLOWED_PREFIXES
)
expanded_name
=
if
ref_name
.
start_with?
(
*
EXPANDED_PREFIXES
)
ref_name
else
"refs/heads/
#{
ref_name
}
"
end
begin
Rugged
::
Reference
.
valid_name?
(
expanded_name
)
rescue
ArgumentError
return
false
end
end
end
end
end
end
spec/features/issuables/issuable_list_spec.rb
浏览文件 @
5dc6c8f2
...
@@ -76,7 +76,7 @@ describe 'issuable list' do
...
@@ -76,7 +76,7 @@ describe 'issuable list' do
create
(
:issue
,
project:
project
,
author:
user
)
create
(
:issue
,
project:
project
,
author:
user
)
else
else
create
(
:merge_request
,
source_project:
project
,
source_branch:
generate
(
:branch
))
create
(
:merge_request
,
source_project:
project
,
source_branch:
generate
(
:branch
))
source_branch
=
FFaker
::
Name
.
name
source_branch
=
FFaker
::
Lorem
.
characters
(
8
)
pipeline
=
create
(
:ci_empty_pipeline
,
project:
project
,
ref:
source_branch
,
status:
%w(running failed success)
.
sample
,
sha:
'any'
)
pipeline
=
create
(
:ci_empty_pipeline
,
project:
project
,
ref:
source_branch
,
status:
%w(running failed success)
.
sample
,
sha:
'any'
)
create
(
:merge_request
,
title:
FFaker
::
Lorem
.
sentence
,
source_project:
project
,
source_branch:
source_branch
,
head_pipeline:
pipeline
)
create
(
:merge_request
,
title:
FFaker
::
Lorem
.
sentence
,
source_project:
project
,
source_branch:
source_branch
,
head_pipeline:
pipeline
)
end
end
...
...
spec/lib/gitlab/bitbucket_import/importer_spec.rb
浏览文件 @
5dc6c8f2
...
@@ -5,6 +5,7 @@ describe Gitlab::BitbucketImport::Importer do
...
@@ -5,6 +5,7 @@ describe Gitlab::BitbucketImport::Importer do
before
do
before
do
stub_omniauth_provider
(
'bitbucket'
)
stub_omniauth_provider
(
'bitbucket'
)
stub_feature_flags
(
stricter_mr_branch_name:
false
)
end
end
let
(
:statuses
)
do
let
(
:statuses
)
do
...
...
spec/lib/gitlab/git_ref_validator_spec.rb
浏览文件 @
5dc6c8f2
require
'spec_helper'
require
'spec_helper'
describe
Gitlab
::
GitRefValidator
do
describe
Gitlab
::
GitRefValidator
do
it
{
expect
(
described_class
.
validate
(
'feature/new'
)).
to
be_truthy
}
using
RSpec
::
Parameterized
::
TableSyntax
it
{
expect
(
described_class
.
validate
(
'implement_@all'
)).
to
be_truthy
}
it
{
expect
(
described_class
.
validate
(
'my_new_feature'
)).
to
be_truthy
}
context
'.validate'
do
it
{
expect
(
described_class
.
validate
(
'my-branch'
)).
to
be_truthy
}
it
{
expect
(
described_class
.
validate
(
'feature/new'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate
(
'#1'
)).
to
be_truthy
}
it
{
expect
(
described_class
.
validate
(
'implement_@all'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate
(
'feature/refs/heads/foo'
)).
to
be_truthy
}
it
{
expect
(
described_class
.
validate
(
'my_new_feature'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate
(
'feature/~new/'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'my-branch'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate
(
'feature/^new/'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'#1'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate
(
'feature/:new/'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature/refs/heads/foo'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate
(
'feature/?new/'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature/~new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'feature/*new/'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature/^new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'feature/[new/'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature/:new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'feature/new/'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature/?new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'feature/new.'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature/*new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'feature\@{'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature/[new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'feature\new'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature/new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'feature//new'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature/new.'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'feature new'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature\@{'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'refs/heads/'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature\new'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'refs/remotes/'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature//new'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'refs/heads/feature'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'feature new'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'refs/remotes/origin'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'refs/heads/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'-'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'refs/remotes/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'-branch'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'refs/heads/feature'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'.tag'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'refs/remotes/origin'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'my branch'
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'-'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
"
\xA0\u
0000
\xB0
"
)).
to
be_falsey
}
it
{
expect
(
described_class
.
validate
(
'-branch'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'+foo:bar'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'foo:bar'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'.tag'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
'my branch'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate
(
"
\xA0\u
0000
\xB0
"
)).
to
be
false
}
end
context
'.validate_merge_request_branch'
do
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'HEAD'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature/new'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'implement_@all'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'my_new_feature'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'my-branch'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'#1'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature/refs/heads/foo'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature/~new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature/^new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature/:new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature/?new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature/*new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature/[new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature/new/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature/new.'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature\@{'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature\new'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature//new'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'feature new'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'refs/heads/master'
)).
to
be
true
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'refs/heads/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'refs/remotes/'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'-'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'-branch'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'+foo:bar'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'foo:bar'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'.tag'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
'my branch'
)).
to
be
false
}
it
{
expect
(
described_class
.
validate_merge_request_branch
(
"
\xA0\u
0000
\xB0
"
)).
to
be
false
}
end
end
end
spec/models/merge_request_spec.rb
浏览文件 @
5dc6c8f2
...
@@ -173,6 +173,42 @@ describe MergeRequest do
...
@@ -173,6 +173,42 @@ describe MergeRequest do
end
end
end
end
context
'for branch'
do
before
do
stub_feature_flags
(
stricter_mr_branch_name:
false
)
end
using
RSpec
::
Parameterized
::
TableSyntax
where
(
:branch_name
,
:valid
)
do
'foo'
|
true
'foo:bar'
|
false
'+foo:bar'
|
false
'foo bar'
|
false
'-foo'
|
false
'HEAD'
|
true
'refs/heads/master'
|
true
end
with_them
do
it
"validates source_branch"
do
subject
=
build
(
:merge_request
,
source_branch:
branch_name
,
target_branch:
'master'
)
subject
.
valid?
expect
(
subject
.
errors
.
added?
(
:source_branch
)).
to
eq
(
!
valid
)
end
it
"validates target_branch"
do
subject
=
build
(
:merge_request
,
source_branch:
'master'
,
target_branch:
branch_name
)
subject
.
valid?
expect
(
subject
.
errors
.
added?
(
:target_branch
)).
to
eq
(
!
valid
)
end
end
end
context
'for forks'
do
context
'for forks'
do
let
(
:project
)
{
create
(
:project
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:fork1
)
{
fork_project
(
project
)
}
let
(
:fork1
)
{
fork_project
(
project
)
}
...
...
spec/services/ci/create_pipeline_service_spec.rb
浏览文件 @
5dc6c8f2
...
@@ -973,7 +973,7 @@ describe Ci::CreatePipelineService do
...
@@ -973,7 +973,7 @@ describe Ci::CreatePipelineService do
let
(
:merge_request
)
do
let
(
:merge_request
)
do
create
(
:merge_request
,
create
(
:merge_request
,
source_project:
project
,
source_project:
project
,
source_branch:
ref_name
,
source_branch:
Gitlab
::
Git
.
ref_name
(
ref_name
)
,
target_project:
project
,
target_project:
project
,
target_branch:
'master'
)
target_branch:
'master'
)
end
end
...
@@ -1004,7 +1004,7 @@ describe Ci::CreatePipelineService do
...
@@ -1004,7 +1004,7 @@ describe Ci::CreatePipelineService do
let
(
:merge_request
)
do
let
(
:merge_request
)
do
create
(
:merge_request
,
create
(
:merge_request
,
source_project:
project
,
source_project:
project
,
source_branch:
ref_name
,
source_branch:
Gitlab
::
Git
.
ref_name
(
ref_name
)
,
target_project:
project
,
target_project:
project
,
target_branch:
'master'
)
target_branch:
'master'
)
end
end
...
@@ -1033,7 +1033,7 @@ describe Ci::CreatePipelineService do
...
@@ -1033,7 +1033,7 @@ describe Ci::CreatePipelineService do
let
(
:merge_request
)
do
let
(
:merge_request
)
do
create
(
:merge_request
,
create
(
:merge_request
,
source_project:
project
,
source_project:
project
,
source_branch:
ref_name
,
source_branch:
Gitlab
::
Git
.
ref_name
(
ref_name
)
,
target_project:
project
,
target_project:
project
,
target_branch:
'master'
)
target_branch:
'master'
)
end
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录