diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-03 12:34:04 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-03 12:34:04 +0000 |
commit | 5dc6c8f2d08534281b0e1adf404af0e8642eb407 (patch) | |
tree | a7af86fd68b1693f2d1441a2cc22a159658ad7f6 /lib/gitlab | |
parent | e5b88d88fbd3796ba2f56912818231bdfbf0d597 (diff) | |
parent | c7e8f5c613754a7221d6b2f0b0e154b75c55dd84 (diff) | |
download | gitlab-ce-5dc6c8f2d08534281b0e1adf404af0e8642eb407.tar.gz |
Merge branch 'security-60039' into 'master'
Disallow invalid MR branch name
See merge request gitlab/gitlabhq!3052
Diffstat (limited to 'lib/gitlab')
-rw-r--r-- | lib/gitlab/git_ref_validator.rb | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/lib/gitlab/git_ref_validator.rb b/lib/gitlab/git_ref_validator.rb index 3f13ebeb9d0..dfff6823689 100644 --- a/lib/gitlab/git_ref_validator.rb +++ b/lib/gitlab/git_ref_validator.rb @@ -5,12 +5,15 @@ module Gitlab module GitRefValidator extend self + + EXPANDED_PREFIXES = %w[refs/heads/ refs/remotes/].freeze + DISALLOWED_PREFIXES = %w[-].freeze + # Validates a given name against the git reference specification # # Returns true for a valid reference name, false otherwise def validate(ref_name) - not_allowed_prefixes = %w(refs/heads/ refs/remotes/ -) - return false if ref_name.start_with?(*not_allowed_prefixes) + return false if ref_name.start_with?(*(EXPANDED_PREFIXES + DISALLOWED_PREFIXES)) return false if ref_name == 'HEAD' begin @@ -19,5 +22,21 @@ module Gitlab return false end end + + def validate_merge_request_branch(ref_name) + return false if ref_name.start_with?(*DISALLOWED_PREFIXES) + + expanded_name = if ref_name.start_with?(*EXPANDED_PREFIXES) + ref_name + else + "refs/heads/#{ref_name}" + end + + begin + Rugged::Reference.valid_name?(expanded_name) + rescue ArgumentError + return false + end + end end end |