Merge branch 'security-60039' into 'master'

Disallow invalid MR branch name See merge request gitlab/gitlabhq!3052
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-03 12:34:04 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-03 12:34:04 +0000
commit: 5dc6c8f2d08534281b0e1adf404af0e8642eb407 (patch)
tree: a7af86fd68b1693f2d1441a2cc22a159658ad7f6 /app/models
parent: e5b88d88fbd3796ba2f56912818231bdfbf0d597 (diff)
parent: c7e8f5c613754a7221d6b2f0b0e154b75c55dd84 (diff)
download: gitlab-ce-5dc6c8f2d08534281b0e1adf404af0e8642eb407.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index 311ba1ce6bd..81a8622bfe7 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -588,6 +588,8 @@ class MergeRequest < ApplicationRecord
       return
     end
 
+    [:source_branch, :target_branch].each { |attr| validate_branch_name(attr) }
+
     if opened?
       similar_mrs = target_project
         .merge_requests
@@ -608,6 +610,16 @@ class MergeRequest < ApplicationRecord
     end
   end
 
+  def validate_branch_name(attr)
+    return unless changes_include?(attr)
+
+    branch = read_attribute(attr)
+
+    return unless branch
+
+    errors.add(attr) unless Gitlab::GitRefValidator.validate_merge_request_branch(branch)
+  end
+
   def validate_target_project
     return true if target_project.merge_requests_enabled?
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-03 12:34:04 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-03 12:34:04 +0000
commit	5dc6c8f2d08534281b0e1adf404af0e8642eb407 (patch)
tree	a7af86fd68b1693f2d1441a2cc22a159658ad7f6 /app/models
parent	e5b88d88fbd3796ba2f56912818231bdfbf0d597 (diff)
parent	c7e8f5c613754a7221d6b2f0b0e154b75c55dd84 (diff)
download	gitlab-ce-5dc6c8f2d08534281b0e1adf404af0e8642eb407.tar.gz