diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 14:57:37 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 14:57:37 +0000 |
commit | 13f0d48172df4463fd4c2dbded7fdbbbfe88e0a9 (patch) | |
tree | ec69b0b3f5e070aff23f995b97512ed2657d1793 /lib | |
parent | 581d2902d00f62bb789ba56f80bbb750f989e6cf (diff) | |
download | gitlab-ce-13f0d48172df4463fd4c2dbded7fdbbbfe88e0a9.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/static_site_editor/config.rb | 6 | ||||
-rw-r--r-- | lib/gitlab/url_sanitizer.rb | 9 |
2 files changed, 12 insertions, 3 deletions
diff --git a/lib/gitlab/static_site_editor/config.rb b/lib/gitlab/static_site_editor/config.rb index c931cdecbeb..65c567ec2a6 100644 --- a/lib/gitlab/static_site_editor/config.rb +++ b/lib/gitlab/static_site_editor/config.rb @@ -21,7 +21,7 @@ module Gitlab project_id: project.id, project: project.path, namespace: project.namespace.path, - return_url: return_url, + return_url: sanitize_url(return_url), is_supported_content: supported_content?.to_s, base_url: Gitlab::Routing.url_helpers.project_show_sse_path(project, full_path) } @@ -52,6 +52,10 @@ module Gitlab def full_path "#{ref}/#{file_path}" end + + def sanitize_url(url) + url if Gitlab::UrlSanitizer.valid_web?(url) + end end end end diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb index 215454fe63c..fa40a8b678b 100644 --- a/lib/gitlab/url_sanitizer.rb +++ b/lib/gitlab/url_sanitizer.rb @@ -3,6 +3,7 @@ module Gitlab class UrlSanitizer ALLOWED_SCHEMES = %w[http https ssh git].freeze + ALLOWED_WEB_SCHEMES = %w[http https].freeze def self.sanitize(content) regexp = URI::DEFAULT_PARSER.make_regexp(ALLOWED_SCHEMES) @@ -12,17 +13,21 @@ module Gitlab content.gsub(regexp, '') end - def self.valid?(url) + def self.valid?(url, allowed_schemes: ALLOWED_SCHEMES) return false unless url.present? return false unless url.is_a?(String) uri = Addressable::URI.parse(url.strip) - ALLOWED_SCHEMES.include?(uri.scheme) + allowed_schemes.include?(uri.scheme) rescue Addressable::URI::InvalidURIError false end + def self.valid_web?(url) + valid?(url, allowed_schemes: ALLOWED_WEB_SCHEMES) + end + def initialize(url, credentials: nil) %i[user password].each do |symbol| credentials[symbol] = credentials[symbol].presence if credentials&.key?(symbol) |