diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-03 10:02:12 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-03 10:02:27 +0000 |
| commit | 01a6adb2b453b852a9348365c4e867d6a36ddeb1 (patch) | |
| tree | c48732c5bd6dc8881de252ed147277d49c365d22 /app | |
| parent | f617de3476794b7198f07eba70b84fa401eded71 (diff) | |
| download | gitlab-ce-01a6adb2b453b852a9348365c4e867d6a36ddeb1.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee
Diffstat (limited to 'app')
| -rw-r--r-- | app/services/protected_branches/base_service.rb | 18 | ||||
| -rw-r--r-- | app/services/protected_branches/create_service.rb | 2 | ||||
| -rw-r--r-- | app/services/protected_branches/update_service.rb | 2 |
3 files changed, 20 insertions, 2 deletions
diff --git a/app/services/protected_branches/base_service.rb b/app/services/protected_branches/base_service.rb index f48e02ab4b5..df801311aaf 100644 --- a/app/services/protected_branches/base_service.rb +++ b/app/services/protected_branches/base_service.rb @@ -13,5 +13,23 @@ module ProtectedBranches def after_execute(*) # overridden in EE::ProtectedBranches module end + + def filtered_params + return unless params + + params[:name] = sanitize_branch_name(params[:name]) if params[:name].present? + params + end + + private + + def sanitize_branch_name(name) + name = CGI.unescapeHTML(name) + name = Sanitize.fragment(name) + + # Sanitize.fragment escapes HTML chars, so unescape again to allow names + # like `feature->master` + CGI.unescapeHTML(name) + end end end diff --git a/app/services/protected_branches/create_service.rb b/app/services/protected_branches/create_service.rb index dada449989a..ea494dd4426 100644 --- a/app/services/protected_branches/create_service.rb +++ b/app/services/protected_branches/create_service.rb @@ -21,7 +21,7 @@ module ProtectedBranches end def protected_branch - @protected_branch ||= project.protected_branches.new(params) + @protected_branch ||= project.protected_branches.new(filtered_params) end end end diff --git a/app/services/protected_branches/update_service.rb b/app/services/protected_branches/update_service.rb index 1e70f2d9793..40e9a286af9 100644 --- a/app/services/protected_branches/update_service.rb +++ b/app/services/protected_branches/update_service.rb @@ -8,7 +8,7 @@ module ProtectedBranches old_merge_access_levels = protected_branch.merge_access_levels.map(&:clone) old_push_access_levels = protected_branch.push_access_levels.map(&:clone) - if protected_branch.update(params) + if protected_branch.update(filtered_params) after_execute(protected_branch: protected_branch, old_merge_access_levels: old_merge_access_levels, old_push_access_levels: old_push_access_levels) end |