summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-05-26 14:57:37 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-05-26 14:57:37 +0000
commit13f0d48172df4463fd4c2dbded7fdbbbfe88e0a9 (patch)
treeec69b0b3f5e070aff23f995b97512ed2657d1793 /lib
parent581d2902d00f62bb789ba56f80bbb750f989e6cf (diff)
downloadgitlab-ce-13f0d48172df4463fd4c2dbded7fdbbbfe88e0a9.tar.gz
Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee
Diffstat (limited to 'lib')
-rw-r--r--lib/gitlab/static_site_editor/config.rb6
-rw-r--r--lib/gitlab/url_sanitizer.rb9
2 files changed, 12 insertions, 3 deletions
diff --git a/lib/gitlab/static_site_editor/config.rb b/lib/gitlab/static_site_editor/config.rb
index c931cdecbeb..65c567ec2a6 100644
--- a/lib/gitlab/static_site_editor/config.rb
+++ b/lib/gitlab/static_site_editor/config.rb
@@ -21,7 +21,7 @@ module Gitlab
project_id: project.id,
project: project.path,
namespace: project.namespace.path,
- return_url: return_url,
+ return_url: sanitize_url(return_url),
is_supported_content: supported_content?.to_s,
base_url: Gitlab::Routing.url_helpers.project_show_sse_path(project, full_path)
}
@@ -52,6 +52,10 @@ module Gitlab
def full_path
"#{ref}/#{file_path}"
end
+
+ def sanitize_url(url)
+ url if Gitlab::UrlSanitizer.valid_web?(url)
+ end
end
end
end
diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb
index 215454fe63c..fa40a8b678b 100644
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -3,6 +3,7 @@
module Gitlab
class UrlSanitizer
ALLOWED_SCHEMES = %w[http https ssh git].freeze
+ ALLOWED_WEB_SCHEMES = %w[http https].freeze
def self.sanitize(content)
regexp = URI::DEFAULT_PARSER.make_regexp(ALLOWED_SCHEMES)
@@ -12,17 +13,21 @@ module Gitlab
content.gsub(regexp, '')
end
- def self.valid?(url)
+ def self.valid?(url, allowed_schemes: ALLOWED_SCHEMES)
return false unless url.present?
return false unless url.is_a?(String)
uri = Addressable::URI.parse(url.strip)
- ALLOWED_SCHEMES.include?(uri.scheme)
+ allowed_schemes.include?(uri.scheme)
rescue Addressable::URI::InvalidURIError
false
end
+ def self.valid_web?(url)
+ valid?(url, allowed_schemes: ALLOWED_WEB_SCHEMES)
+ end
+
def initialize(url, credentials: nil)
%i[user password].each do |symbol|
credentials[symbol] = credentials[symbol].presence if credentials&.key?(symbol)