Merge branch 'security-id-leaked-password-in-import-url-frontend' into 'master'

Handling password on import by url page See merge request gitlab/gitlabhq!3061
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-03 12:34:01 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-03 12:34:01 +0000
commit: e5b88d88fbd3796ba2f56912818231bdfbf0d597 (patch)
tree: ac20a94185b257836a6073c0917d4b1667b22dd3 /app
parent: 3a7bf68e34b493870146fa026c9a3da1899ef779 (diff)
parent: c7903542683eaa5427a5d30adad8550f0754bdfa (diff)
download: gitlab-ce-e5b88d88fbd3796ba2f56912818231bdfbf0d597.tar.gz
4 files changed, 45 insertions, 8 deletions
diff --git a/app/controllers/concerns/import_url_params.rb b/app/controllers/concerns/import_url_params.rb
new file mode 100644
index 00000000000..765654ca2cb
--- /dev/null
+++ b/app/controllers/concerns/import_url_params.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module ImportUrlParams
+  def import_url_params
+    { import_url: import_params_to_full_url(params[:project]) }
+  end
+
+  def import_params_to_full_url(params)
+    Gitlab::UrlSanitizer.new(
+      params[:import_url],
+      credentials: {
+        user: params[:import_url_user],
+        password: params[:import_url_password]
+      }
+    ).full_url
+  end
+end
diff --git a/app/controllers/projects/imports_controller.rb b/app/controllers/projects/imports_controller.rb
index 4640be015de..afbf9fd7720 100644
--- a/app/controllers/projects/imports_controller.rb
+++ b/app/controllers/projects/imports_controller.rb
@@ -2,6 +2,7 @@
 
 class Projects::ImportsController < Projects::ApplicationController
   include ContinueParams
+  include ImportUrlParams
 
   # Authorize
   before_action :authorize_admin_project!
@@ -67,10 +68,12 @@ class Projects::ImportsController < Projects::ApplicationController
   end
 
   def import_params_attributes
-    [:import_url]
+    []
   end
 
   def import_params
-    params.require(:project).permit(import_params_attributes)
+    params.require(:project)
+      .permit(import_params_attributes)
+      .merge(import_url_params)
   end
 end
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index e88c46144ef..12db493978b 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -7,6 +7,7 @@ class ProjectsController < Projects::ApplicationController
   include PreviewMarkdown
   include SendFileUpload
   include RecordUserLastActivity
+  include ImportUrlParams
 
   prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) }
 
@@ -333,6 +334,7 @@ class ProjectsController < Projects::ApplicationController
   def project_params(attributes: [])
     params.require(:project)
       .permit(project_params_attributes + attributes)
+      .merge(import_url_params)
   end
 
   def project_params_attributes
diff --git a/app/views/shared/_import_form.html.haml b/app/views/shared/_import_form.html.haml
index 3ee713cf499..d0f9374e832 100644
--- a/app/views/shared/_import_form.html.haml
+++ b/app/views/shared/_import_form.html.haml
@@ -1,11 +1,26 @@
 - ci_cd_only = local_assigns.fetch(:ci_cd_only, false)
+- import_url = Gitlab::UrlSanitizer.new(f.object.import_url)
 
-.form-group.import-url-data
-  = f.label :import_url, class: 'label-bold' do
-    %span
-      = _('Git repository URL')
+.import-url-data
+  .form-group
+    = f.label :import_url, class: 'label-bold' do
+      %span
+        = _('Git repository URL')
+    = f.text_field :import_url, value: import_url.sanitized_url,
+        autocomplete: 'off', class: 'form-control', placeholder: 'https://gitlab.company.com/group/project.git', required: true
 
-  = f.text_field :import_url, autocomplete: 'off', class: 'form-control', placeholder: 'https://username:password@gitlab.company.com/group/project.git', required: true
+  .row
+    .form-group.col-md-6
+      = f.label :import_url_user, class: 'label-bold' do
+        %span
+          = _('Username (optional)')
+      = f.text_field :import_url_user, value: import_url.user, class: 'form-control', required: false, autocomplete: 'new-password'
+
+    .form-group.col-md-6
+      = f.label :import_url_password, class: 'label-bold' do
+        %span
+          = _('Password (optional)')
+      = f.password_field :import_url_password, class: 'form-control', required: false, autocomplete: 'new-password'
 
   .info-well.prepend-top-20
     .well-segment
@@ -13,7 +28,7 @@
         %li
           = _('The repository must be accessible over <code>http://</code>, <code>https://</code> or <code>git://</code>.').html_safe
         %li
-          = _('If your HTTP repository is not publicly accessible, add authentication information to the URL: <code>https://username:password@gitlab.company.com/group/project.git</code>.').html_safe
+          = _('If your HTTP repository is not publicly accessible, add your credentials.')
         %li
           = import_will_timeout_message(ci_cd_only)
         %li
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-03 12:34:01 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-03 12:34:01 +0000
commit	e5b88d88fbd3796ba2f56912818231bdfbf0d597 (patch)
tree	ac20a94185b257836a6073c0917d4b1667b22dd3 /app
parent	3a7bf68e34b493870146fa026c9a3da1899ef779 (diff)
parent	c7903542683eaa5427a5d30adad8550f0754bdfa (diff)
download	gitlab-ce-e5b88d88fbd3796ba2f56912818231bdfbf0d597.tar.gz