diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-03 12:34:01 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-03 12:34:01 +0000 |
commit | e5b88d88fbd3796ba2f56912818231bdfbf0d597 (patch) | |
tree | ac20a94185b257836a6073c0917d4b1667b22dd3 /app/controllers | |
parent | 3a7bf68e34b493870146fa026c9a3da1899ef779 (diff) | |
parent | c7903542683eaa5427a5d30adad8550f0754bdfa (diff) | |
download | gitlab-ce-e5b88d88fbd3796ba2f56912818231bdfbf0d597.tar.gz |
Merge branch 'security-id-leaked-password-in-import-url-frontend' into 'master'
Handling password on import by url page
See merge request gitlab/gitlabhq!3061
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/concerns/import_url_params.rb | 17 | ||||
-rw-r--r-- | app/controllers/projects/imports_controller.rb | 7 | ||||
-rw-r--r-- | app/controllers/projects_controller.rb | 2 |
3 files changed, 24 insertions, 2 deletions
diff --git a/app/controllers/concerns/import_url_params.rb b/app/controllers/concerns/import_url_params.rb new file mode 100644 index 00000000000..765654ca2cb --- /dev/null +++ b/app/controllers/concerns/import_url_params.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +module ImportUrlParams + def import_url_params + { import_url: import_params_to_full_url(params[:project]) } + end + + def import_params_to_full_url(params) + Gitlab::UrlSanitizer.new( + params[:import_url], + credentials: { + user: params[:import_url_user], + password: params[:import_url_password] + } + ).full_url + end +end diff --git a/app/controllers/projects/imports_controller.rb b/app/controllers/projects/imports_controller.rb index 4640be015de..afbf9fd7720 100644 --- a/app/controllers/projects/imports_controller.rb +++ b/app/controllers/projects/imports_controller.rb @@ -2,6 +2,7 @@ class Projects::ImportsController < Projects::ApplicationController include ContinueParams + include ImportUrlParams # Authorize before_action :authorize_admin_project! @@ -67,10 +68,12 @@ class Projects::ImportsController < Projects::ApplicationController end def import_params_attributes - [:import_url] + [] end def import_params - params.require(:project).permit(import_params_attributes) + params.require(:project) + .permit(import_params_attributes) + .merge(import_url_params) end end diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index e88c46144ef..12db493978b 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -7,6 +7,7 @@ class ProjectsController < Projects::ApplicationController include PreviewMarkdown include SendFileUpload include RecordUserLastActivity + include ImportUrlParams prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) } @@ -333,6 +334,7 @@ class ProjectsController < Projects::ApplicationController def project_params(attributes: []) params.require(:project) .permit(project_params_attributes + attributes) + .merge(import_url_params) end def project_params_attributes |