Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
bc10afb6
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
bc10afb6
编写于
6月 29, 2017
作者:
R
Robert Speicher
提交者:
Robert Speicher
9月 07, 2017
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Merge branch 'dm-go-get-xss' into 'security-9-3'
Fix XSS issue in go-get handling See merge request !2128
上级
b39d0c31
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
44 addition
and
11 deletion
+44
-11
changelogs/unreleased/dm-go-get-xss.yml
changelogs/unreleased/dm-go-get-xss.yml
+4
-0
lib/gitlab/middleware/go.rb
lib/gitlab/middleware/go.rb
+23
-10
spec/lib/gitlab/middleware/go_spec.rb
spec/lib/gitlab/middleware/go_spec.rb
+17
-1
未找到文件。
changelogs/unreleased/dm-go-get-xss.yml
0 → 100644
浏览文件 @
bc10afb6
---
title
:
Fix XSS issue in go-get handling
merge_request
:
author
:
lib/gitlab/middleware/go.rb
浏览文件 @
bc10afb6
...
...
@@ -3,6 +3,10 @@
module
Gitlab
module
Middleware
class
Go
include
ActionView
::
Helpers
::
TagHelper
PROJECT_PATH_REGEX
=
%r{
\A
(
#{
Gitlab
::
PathRegex
.
full_namespace_route_regex
}
/
#{
Gitlab
::
PathRegex
.
project_route_regex
}
)/}
.
freeze
def
initialize
(
app
)
@app
=
app
end
...
...
@@ -10,17 +14,20 @@ module Gitlab
def
call
(
env
)
request
=
Rack
::
Request
.
new
(
env
)
if
go_request?
(
request
)
render_go_doc
(
request
)
else
@app
.
call
(
env
)
end
render_go_doc
(
request
)
||
@app
.
call
(
env
)
end
private
def
render_go_doc
(
request
)
body
=
go_body
(
request
)
return
unless
go_request?
(
request
)
path
=
project_path
(
request
)
return
unless
path
body
=
go_body
(
path
)
return
unless
body
response
=
Rack
::
Response
.
new
(
body
,
200
,
{
'Content-Type'
=>
'text/html'
})
response
.
finish
end
...
...
@@ -29,11 +36,13 @@ module Gitlab
request
[
"go-get"
].
to_i
==
1
&&
request
.
env
[
"PATH_INFO"
].
present?
end
def
go_body
(
request
)
project_url
=
URI
.
join
(
Gitlab
.
config
.
gitlab
.
url
,
p
roject_path
(
request
)
)
def
go_body
(
path
)
project_url
=
URI
.
join
(
Gitlab
.
config
.
gitlab
.
url
,
p
ath
)
import_prefix
=
strip_url
(
project_url
.
to_s
)
"<!DOCTYPE html><html><head><meta content='
#{
import_prefix
}
git
#{
project_url
}
.git' name='go-import'></head></html>
\n
"
meta_tag
=
tag
:meta
,
name:
'go-import'
,
content:
"
#{
import_prefix
}
git
#{
project_url
}
.git"
head_tag
=
content_tag
:head
,
meta_tag
content_tag
:html
,
head_tag
end
def
strip_url
(
url
)
...
...
@@ -44,6 +53,10 @@ module Gitlab
path_info
=
request
.
env
[
"PATH_INFO"
]
path_info
.
sub!
(
/^\//
,
''
)
project_path_match
=
"
#{
path_info
}
/"
.
match
(
PROJECT_PATH_REGEX
)
return
unless
project_path_match
path
=
project_path_match
[
1
]
# Go subpackages may be in the form of `namespace/project/path1/path2/../pathN`.
# In a traditional project with a single namespace, this would denote repo
# `namespace/project` with subpath `path1/path2/../pathN`, but with nested
...
...
@@ -51,7 +64,7 @@ module Gitlab
# `path2/../pathN`, for example.
# We find all potential project paths out of the path segments
path_segments
=
path
_info
.
split
(
'/'
)
path_segments
=
path
.
split
(
'/'
)
simple_project_path
=
path_segments
.
first
(
2
).
join
(
'/'
)
# If the path is at most 2 segments long, it is a simple `namespace/project` path and we're done
...
...
spec/lib/gitlab/middleware/go_spec.rb
浏览文件 @
bc10afb6
...
...
@@ -79,12 +79,28 @@ describe Gitlab::Middleware::Go do
it_behaves_like
'a nested project'
end
context
'with a subpackage that is not a valid project path'
do
let
(
:path
)
{
"
#{
project
.
full_path
}
/---subpackage"
}
it_behaves_like
'a nested project'
end
context
'without subpackages'
do
let
(
:path
)
{
project
.
full_path
}
it_behaves_like
'a nested project'
end
end
context
'with a bogus path'
do
let
(
:path
)
{
"http:;url=http://www.example.com'http-equiv='refresh'x='?go-get=1"
}
it
'skips go-import generation'
do
expect
(
app
).
to
receive
(
:call
).
and_return
(
'no-go'
)
go
end
end
end
def
go
...
...
@@ -100,7 +116,7 @@ describe Gitlab::Middleware::Go do
def
expect_response_with_path
(
response
,
path
)
expect
(
response
[
0
]).
to
eq
(
200
)
expect
(
response
[
1
][
'Content-Type'
]).
to
eq
(
'text/html'
)
expected_body
=
"<!DOCTYPE html><html><head><meta content='
#{
Gitlab
.
config
.
gitlab
.
host
}
/
#{
path
}
git http://
#{
Gitlab
.
config
.
gitlab
.
host
}
/
#{
path
}
.git' name='go-import'></head></html>
\n
"
expected_body
=
%{<html><head><meta name="go-import" content="#{Gitlab.config.gitlab.host}/#{path} git http://#{Gitlab.config.gitlab.host}/#{path}.git" /></head></html>}
expect
(
response
[
2
].
body
).
to
eq
([
expected_body
])
end
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录