summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-12-03 10:02:12 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2021-12-03 10:02:27 +0000
commit01a6adb2b453b852a9348365c4e867d6a36ddeb1 (patch)
treec48732c5bd6dc8881de252ed147277d49c365d22 /app
parentf617de3476794b7198f07eba70b84fa401eded71 (diff)
downloadgitlab-ce-01a6adb2b453b852a9348365c4e867d6a36ddeb1.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee
Diffstat (limited to 'app')
-rw-r--r--app/services/protected_branches/base_service.rb18
-rw-r--r--app/services/protected_branches/create_service.rb2
-rw-r--r--app/services/protected_branches/update_service.rb2
3 files changed, 20 insertions, 2 deletions
diff --git a/app/services/protected_branches/base_service.rb b/app/services/protected_branches/base_service.rb
index f48e02ab4b5..df801311aaf 100644
--- a/app/services/protected_branches/base_service.rb
+++ b/app/services/protected_branches/base_service.rb
@@ -13,5 +13,23 @@ module ProtectedBranches
def after_execute(*)
# overridden in EE::ProtectedBranches module
end
+
+ def filtered_params
+ return unless params
+
+ params[:name] = sanitize_branch_name(params[:name]) if params[:name].present?
+ params
+ end
+
+ private
+
+ def sanitize_branch_name(name)
+ name = CGI.unescapeHTML(name)
+ name = Sanitize.fragment(name)
+
+ # Sanitize.fragment escapes HTML chars, so unescape again to allow names
+ # like `feature->master`
+ CGI.unescapeHTML(name)
+ end
end
end
diff --git a/app/services/protected_branches/create_service.rb b/app/services/protected_branches/create_service.rb
index dada449989a..ea494dd4426 100644
--- a/app/services/protected_branches/create_service.rb
+++ b/app/services/protected_branches/create_service.rb
@@ -21,7 +21,7 @@ module ProtectedBranches
end
def protected_branch
- @protected_branch ||= project.protected_branches.new(params)
+ @protected_branch ||= project.protected_branches.new(filtered_params)
end
end
end
diff --git a/app/services/protected_branches/update_service.rb b/app/services/protected_branches/update_service.rb
index 1e70f2d9793..40e9a286af9 100644
--- a/app/services/protected_branches/update_service.rb
+++ b/app/services/protected_branches/update_service.rb
@@ -8,7 +8,7 @@ module ProtectedBranches
old_merge_access_levels = protected_branch.merge_access_levels.map(&:clone)
old_push_access_levels = protected_branch.push_access_levels.map(&:clone)
- if protected_branch.update(params)
+ if protected_branch.update(filtered_params)
after_execute(protected_branch: protected_branch, old_merge_access_levels: old_merge_access_levels, old_push_access_levels: old_push_access_levels)
end