diff options
| author | blackst0ne <blackst0ne.ru@gmail.com> | 2018-04-28 21:35:16 +1100 |
|---|---|---|
| committer | blackst0ne <blackst0ne.ru@gmail.com> | 2018-04-28 21:35:16 +1100 |
| commit | 350e26b8a660f2d98ef874be3fa1a15b93965979 (patch) | |
| tree | a7e97cbb5aa2067de457b4d29e897b1dc75cdfa9 /app/views/peek/_bar.html.haml | |
| parent | ee189fd511e1a2c06f05e0d40e1d0b8875151391 (diff) | |
| download | gitlab-ce-350e26b8a660f2d98ef874be3fa1a15b93965979.tar.gz | |
[Rails5] Use `safe_params` instead of `params` in `url_for` helpers
This commits replaces `params` with `safe_params` in `url_for` helpers
to resolve security issues [1] and failing specs with the
```
ArgumentError:
Attempting to generate a URL from non-sanitized request parameters!
An attacker can inject malicious data into the generated URL, such as
changing the host. Whitelist and sanitize passed parameters to be secure.
```
error.
[1]: https://gitlab.com/gitlab-org/gitlab-ce/issues/45168
Diffstat (limited to 'app/views/peek/_bar.html.haml')
| -rw-r--r-- | app/views/peek/_bar.html.haml | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/views/peek/_bar.html.haml b/app/views/peek/_bar.html.haml index a911449672b..cb0cccb8f8a 100644 --- a/app/views/peek/_bar.html.haml +++ b/app/views/peek/_bar.html.haml @@ -3,5 +3,5 @@ #js-peek{ data: { env: Peek.env, request_id: Peek.request_id, peek_url: peek_routes.results_url, - profile_url: url_for(params.merge(lineprofiler: 'true')) }, + profile_url: url_for(safe_params.merge(lineprofiler: 'true')) }, class: Peek.env } |