diff options
author | rpereira2 <rpereira@gitlab.com> | 2019-08-22 23:43:44 +0530 |
---|---|---|
committer | rpereira2 <rpereira@gitlab.com> | 2019-08-26 13:46:12 +0530 |
commit | 2956c471118d314151fae941ed23c1c07c958757 (patch) | |
tree | 8fafe04c83b4690e09889e81428649d954b3a602 | |
parent | 8112fb37544557b3f94c0a558175d5da99ef9829 (diff) | |
download | gitlab-ce-fix-sanitize-usage.tar.gz |
Do not use sanitize in url_blockerfix-sanitize-usage
- Encode the URLs instead to prevent the use of any special chars.
-rw-r--r-- | lib/gitlab/url_blocker.rb | 4 | ||||
-rw-r--r-- | locale/gitlab.pot | 3 | ||||
-rw-r--r-- | spec/validators/addressable_url_validator_spec.rb | 2 |
3 files changed, 6 insertions, 3 deletions
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb index 9c35d200dcb..631381001fe 100644 --- a/lib/gitlab/url_blocker.rb +++ b/lib/gitlab/url_blocker.rb @@ -156,9 +156,9 @@ module Gitlab def validate_html_tags(uri) uri_str = uri.to_s - sanitized_uri = ActionController::Base.helpers.sanitize(uri_str, tags: []) + sanitized_uri = Addressable::URI.encode(uri_str) if sanitized_uri != uri_str - raise BlockedUrlError, 'HTML/CSS/JS tags are not allowed' + raise BlockedUrlError, _('Special characters should be encoded') end end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 61642fbbd59..ec552cbccae 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -10681,6 +10681,9 @@ msgstr "" msgid "Spam log successfully submitted as ham." msgstr "" +msgid "Special characters should be encoded" +msgstr "" + msgid "Specific Runners" msgstr "" diff --git a/spec/validators/addressable_url_validator_spec.rb b/spec/validators/addressable_url_validator_spec.rb index 387e84b2d04..3f3621d9173 100644 --- a/spec/validators/addressable_url_validator_spec.rb +++ b/spec/validators/addressable_url_validator_spec.rb @@ -265,7 +265,7 @@ describe AddressableUrlValidator do context 'when enforce_sanitization is' do let(:validator) { described_class.new(attributes: [:link_url], enforce_sanitization: enforce_sanitization) } let(:unsafe_url) { "https://replaceme.com/'><script>alert(document.cookie)</script>" } - let(:safe_url) { 'https://replaceme.com/path/to/somewhere' } + let(:safe_url) { 'https://example.com/d?orgId=1&from=now-8h' } let(:unsafe_internal_url) do Gitlab.config.gitlab.protocol + '://' + Gitlab.config.gitlab.host + |