diff options
author | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2014-11-14 14:09:29 +0000 |
---|---|---|
committer | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2014-11-14 14:09:29 +0000 |
commit | 7e3f49bab0ea1ecdef685649d973a840663beeed (patch) | |
tree | d5f3326a176237ff738e1033cfeda63347564f8b | |
parent | d55f5587aadc07f9193cc58c0e2f743b3a2282e5 (diff) | |
parent | 334fe86574227433bd2909577c5955c40721d509 (diff) | |
download | gitlab-ce-7e3f49bab0ea1ecdef685649d973a840663beeed.tar.gz |
Merge branch 'branch_name' into 'master'
Strip tags from branch name
See merge request !1251
-rw-r--r-- | app/controllers/projects/branches_controller.rb | 5 | ||||
-rw-r--r-- | spec/controllers/branches_controller_spec.rb | 51 |
2 files changed, 55 insertions, 1 deletions
diff --git a/app/controllers/projects/branches_controller.rb b/app/controllers/projects/branches_controller.rb index 9ebd498e7fa..cff1a907dc2 100644 --- a/app/controllers/projects/branches_controller.rb +++ b/app/controllers/projects/branches_controller.rb @@ -1,4 +1,5 @@ class Projects::BranchesController < Projects::ApplicationController + include ActionView::Helpers::SanitizeHelper # Authorize before_filter :require_non_empty_project @@ -16,8 +17,10 @@ class Projects::BranchesController < Projects::ApplicationController end def create + branch_name = sanitize(strip_tags(params[:branch_name])) + ref = sanitize(strip_tags(params[:ref])) result = CreateBranchService.new(project, current_user). - execute(params[:branch_name], params[:ref]) + execute(branch_name, ref) if result[:status] == :success @branch = result[:branch] diff --git a/spec/controllers/branches_controller_spec.rb b/spec/controllers/branches_controller_spec.rb new file mode 100644 index 00000000000..610d7a84e31 --- /dev/null +++ b/spec/controllers/branches_controller_spec.rb @@ -0,0 +1,51 @@ +require 'spec_helper' + +describe Projects::BranchesController do + let(:project) { create(:project) } + let(:user) { create(:user) } + + before do + sign_in(user) + + project.team << [user, :master] + + project.stub(:branches).and_return(['master', 'foo/bar/baz']) + project.stub(:tags).and_return(['v1.0.0', 'v2.0.0']) + controller.instance_variable_set(:@project, project) + end + + describe "POST create" do + render_views + + before { + post :create, + project_id: project.to_param, + branch_name: branch, + ref: ref + } + + context "valid branch name, valid source" do + let(:branch) { "merge_branch" } + let(:ref) { "master" } + it { should redirect_to("/#{project.path_with_namespace}/tree/merge_branch") } + end + + context "invalid branch name, valid ref" do + let(:branch) { "<script>alert('merge');</script>" } + let(:ref) { "master" } + it { should redirect_to("/#{project.path_with_namespace}/tree/alert('merge');") } + end + + context "valid branch name, invalid ref" do + let(:branch) { "merge_branch" } + let(:ref) { "<script>alert('ref');</script>" } + it { should render_template("new") } + end + + context "invalid branch name, invalid ref" do + let(:branch) { "<script>alert('merge');</script>" } + let(:ref) { "<script>alert('ref');</script>" } + it { should render_template("new") } + end + end +end |