Merge branch 'security-id-leaked-password-in-import-url-frontend' into 'master'

Handling password on import by url page See merge request gitlab/gitlabhq!3061
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-03 12:34:01 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-03 12:34:01 +0000
commit: e5b88d88fbd3796ba2f56912818231bdfbf0d597 (patch)
tree: ac20a94185b257836a6073c0917d4b1667b22dd3 /app/controllers
parent: 3a7bf68e34b493870146fa026c9a3da1899ef779 (diff)
parent: c7903542683eaa5427a5d30adad8550f0754bdfa (diff)
download: gitlab-ce-e5b88d88fbd3796ba2f56912818231bdfbf0d597.tar.gz
3 files changed, 24 insertions, 2 deletions
diff --git a/app/controllers/concerns/import_url_params.rb b/app/controllers/concerns/import_url_params.rb
new file mode 100644
index 00000000000..765654ca2cb
--- /dev/null
+++ b/app/controllers/concerns/import_url_params.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module ImportUrlParams
+  def import_url_params
+    { import_url: import_params_to_full_url(params[:project]) }
+  end
+
+  def import_params_to_full_url(params)
+    Gitlab::UrlSanitizer.new(
+      params[:import_url],
+      credentials: {
+        user: params[:import_url_user],
+        password: params[:import_url_password]
+      }
+    ).full_url
+  end
+end
diff --git a/app/controllers/projects/imports_controller.rb b/app/controllers/projects/imports_controller.rb
index 4640be015de..afbf9fd7720 100644
--- a/app/controllers/projects/imports_controller.rb
+++ b/app/controllers/projects/imports_controller.rb
@@ -2,6 +2,7 @@
 
 class Projects::ImportsController < Projects::ApplicationController
   include ContinueParams
+  include ImportUrlParams
 
   # Authorize
   before_action :authorize_admin_project!
@@ -67,10 +68,12 @@ class Projects::ImportsController < Projects::ApplicationController
   end
 
   def import_params_attributes
-    [:import_url]
+    []
   end
 
   def import_params
-    params.require(:project).permit(import_params_attributes)
+    params.require(:project)
+      .permit(import_params_attributes)
+      .merge(import_url_params)
   end
 end
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index e88c46144ef..12db493978b 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -7,6 +7,7 @@ class ProjectsController < Projects::ApplicationController
   include PreviewMarkdown
   include SendFileUpload
   include RecordUserLastActivity
+  include ImportUrlParams
 
   prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) }
 
@@ -333,6 +334,7 @@ class ProjectsController < Projects::ApplicationController
   def project_params(attributes: [])
     params.require(:project)
       .permit(project_params_attributes + attributes)
+      .merge(import_url_params)
   end
 
   def project_params_attributes
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-03 12:34:01 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-03 12:34:01 +0000
commit	e5b88d88fbd3796ba2f56912818231bdfbf0d597 (patch)
tree	ac20a94185b257836a6073c0917d4b1667b22dd3 /app/controllers
parent	3a7bf68e34b493870146fa026c9a3da1899ef779 (diff)
parent	c7903542683eaa5427a5d30adad8550f0754bdfa (diff)
download	gitlab-ce-e5b88d88fbd3796ba2f56912818231bdfbf0d597.tar.gz