diff options
| author | blackst0ne <blackst0ne.ru@gmail.com> | 2018-04-28 21:35:16 +1100 |
|---|---|---|
| committer | blackst0ne <blackst0ne.ru@gmail.com> | 2018-04-28 21:35:16 +1100 |
| commit | 350e26b8a660f2d98ef874be3fa1a15b93965979 (patch) | |
| tree | a7e97cbb5aa2067de457b4d29e897b1dc75cdfa9 /app/controllers | |
| parent | ee189fd511e1a2c06f05e0d40e1d0b8875151391 (diff) | |
| download | gitlab-ce-350e26b8a660f2d98ef874be3fa1a15b93965979.tar.gz | |
[Rails5] Use `safe_params` instead of `params` in `url_for` helpers
This commits replaces `params` with `safe_params` in `url_for` helpers
to resolve security issues [1] and failing specs with the
```
ArgumentError:
Attempting to generate a URL from non-sanitized request parameters!
An attacker can inject malicious data into the generated URL, such as
changing the host. Whitelist and sanitize passed parameters to be secure.
```
error.
[1]: https://gitlab.com/gitlab-org/gitlab-ce/issues/45168
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/concerns/issuable_collections.rb | 2 | ||||
| -rw-r--r-- | app/controllers/groups/application_controller.rb | 2 | ||||
| -rw-r--r-- | app/controllers/projects/application_controller.rb | 2 |
3 files changed, 3 insertions, 3 deletions
diff --git a/app/controllers/concerns/issuable_collections.rb b/app/controllers/concerns/issuable_collections.rb index 34228cf0b82..ca1b80a36a0 100644 --- a/app/controllers/concerns/issuable_collections.rb +++ b/app/controllers/concerns/issuable_collections.rb @@ -57,7 +57,7 @@ module IssuableCollections out_of_range = @issuables.current_page > total_pages # rubocop:disable Gitlab/ModuleWithInstanceVariables if out_of_range - redirect_to(url_for(params.merge(page: total_pages, only_path: true))) + redirect_to(url_for(safe_params.merge(page: total_pages, only_path: true))) end out_of_range diff --git a/app/controllers/groups/application_controller.rb b/app/controllers/groups/application_controller.rb index 9f3bb60b4cc..62213561898 100644 --- a/app/controllers/groups/application_controller.rb +++ b/app/controllers/groups/application_controller.rb @@ -33,6 +33,6 @@ class Groups::ApplicationController < ApplicationController def build_canonical_path(group) params[:group_id] = group.to_param - url_for(params) + url_for(safe_params) end end diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb index 032bb2267e7..5ab6d103c89 100644 --- a/app/controllers/projects/application_controller.rb +++ b/app/controllers/projects/application_controller.rb @@ -25,7 +25,7 @@ class Projects::ApplicationController < ApplicationController params[:namespace_id] = project.namespace.to_param params[:project_id] = project.to_param - url_for(params) + url_for(safe_params) end def repository |