diff options
author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2019-03-26 22:33:25 +0000 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2019-03-26 22:33:25 +0000 |
commit | 535bd5743f932c3ab30e047929b32c3ade2f47e5 (patch) | |
tree | b183407b2bf08d8c9b3c75a6b9882c37b8517701 /lib/gitlab/git | |
parent | 81fe9e9b2e670cc7dcd9405e336f72cabc5a14ba (diff) | |
parent | dc14af6b53d67b2be4b9d9edf3a2122acec6f061 (diff) | |
download | gitlab-ce-535bd5743f932c3ab30e047929b32c3ade2f47e5.tar.gz |
Merge branch '48132-display-output-from-pre-receive-scripts' into 'master'
Allow custom hooks errors to appear in GitLab UI
Closes #48132
See merge request gitlab-org/gitlab-ce!25625
Diffstat (limited to 'lib/gitlab/git')
-rw-r--r-- | lib/gitlab/git/pre_receive_error.rb | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/lib/gitlab/git/pre_receive_error.rb b/lib/gitlab/git/pre_receive_error.rb index 03caace6fce..b46d4ba0b02 100644 --- a/lib/gitlab/git/pre_receive_error.rb +++ b/lib/gitlab/git/pre_receive_error.rb @@ -4,19 +4,38 @@ module Gitlab module Git # # PreReceiveError is special because its message gets displayed to users - # in the web UI. To prevent XSS we sanitize the message on - # initialization. + # in the web UI. Because of this, we: + # - Only display errors that have been marked as safe with a prefix. + # This is to prevent leaking of stacktraces, or other sensitive info. + # - Sanitize the string of any XSS class PreReceiveError < StandardError - def initialize(msg = '') - super(nlbr(msg)) + SAFE_MESSAGE_PREFIXES = [ + 'GitLab:', # Messages from gitlab-shell + 'GL-HOOK-ERR:' # Messages marked as safe by user + ].freeze + + SAFE_MESSAGE_REGEX = /^(#{SAFE_MESSAGE_PREFIXES.join('|')})\s*(?<safe_message>.+)/ + + def initialize(message = '') + super(sanitize(message)) end private # In gitaly-ruby we override this method to do nothing, so that # sanitization happens in gitlab-rails only. - def nlbr(str) - Gitlab::Utils.nlbr(str) + def sanitize(message) + return message if message.blank? + + safe_messages = message.split("\n").map do |msg| + if (match = msg.match(SAFE_MESSAGE_REGEX)) + match[:safe_message].presence + end + end + + safe_messages = safe_messages.compact.join("\n") + + Gitlab::Utils.nlbr(safe_messages) end end end |