diff options
author | Francisco Javier López <fjlopez@gitlab.com> | 2018-12-14 17:51:37 +0100 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-31 16:51:54 +0100 |
commit | b3c13bbb3c62c90dbb9a606b27699df8d681cec3 (patch) | |
tree | 335a4dc3624deb2cfed9a16e9caa49899395ed56 /app/models/lfs_download_object.rb | |
parent | 577812948dd25129e363862cfcb6d9d21d168cc2 (diff) | |
download | gitlab-ce-b3c13bbb3c62c90dbb9a606b27699df8d681cec3.tar.gz |
Added validations to prevent LFS object forgery
Diffstat (limited to 'app/models/lfs_download_object.rb')
-rw-r--r-- | app/models/lfs_download_object.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/app/models/lfs_download_object.rb b/app/models/lfs_download_object.rb new file mode 100644 index 00000000000..6383f95d546 --- /dev/null +++ b/app/models/lfs_download_object.rb @@ -0,0 +1,22 @@ +# frozen_string_literal: true + +class LfsDownloadObject + include ActiveModel::Validations + + attr_accessor :oid, :size, :link + delegate :sanitized_url, :credentials, to: :sanitized_uri + + validates :oid, format: { with: /\A\h{64}\z/ } + validates :size, numericality: { greater_than_or_equal_to: 0 } + validates :link, public_url: { protocols: %w(http https) } + + def initialize(oid:, size:, link:) + @oid = oid + @size = size + @link = link + end + + def sanitized_uri + @sanitized_uri ||= Gitlab::UrlSanitizer.new(link) + end +end |