diff options
| author | Nick Thomas <nick@gitlab.com> | 2018-08-09 18:26:55 +0100 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2018-08-09 18:43:36 +0100 |
| commit | 6e907f26475f16ad7d3e02aa64138e0fe35bb6b9 (patch) | |
| tree | 5f3ad4f3a335383f0b92300d6d6a864f97910e7a | |
| parent | c4b5a076040a6f6156c26f66cdc47610fc267db2 (diff) | |
| download | gitlab-shell-6e907f26475f16ad7d3e02aa64138e0fe35bb6b9.tar.gz | |
Harden gitlab-shell against arguments following the gl_id parameter in the command line
| -rwxr-xr-x | bin/gitlab-shell | 2 | ||||
| -rw-r--r-- | spec/gitlab_shell_gitlab_shell_spec.rb | 6 |
2 files changed, 4 insertions, 4 deletions
diff --git a/bin/gitlab-shell b/bin/gitlab-shell index ae751d7..93a79f6 100755 --- a/bin/gitlab-shell +++ b/bin/gitlab-shell @@ -19,7 +19,7 @@ require File.join(ROOT_PATH, 'lib', 'gitlab_shell') # We must match e.g. "key-12345" anywhere on the command-line. See # https://gitlab.com/gitlab-org/gitlab-shell/issues/145 -who = /\b(?:(?:key|user)-[0-9]+|username-\S+)\b/.match(ARGV.join).to_s; +who = /\b(?:(?:key|user)-[0-9]+|username-\S+)\b/.match(ARGV.join(' ')).to_s if GitlabShell.new(who).exec(original_cmd) exit 0 diff --git a/spec/gitlab_shell_gitlab_shell_spec.rb b/spec/gitlab_shell_gitlab_shell_spec.rb index 76e2afd..abe71e1 100644 --- a/spec/gitlab_shell_gitlab_shell_spec.rb +++ b/spec/gitlab_shell_gitlab_shell_spec.rb @@ -130,21 +130,21 @@ describe 'bin/gitlab-shell' do # Not so basic valid input # (https://gitlab.com/gitlab-org/gitlab-shell/issues/145) it 'succeeds and prints username when a valid known key id is given in the middle of other input' do - output, status = run!(["-c/usr/share/webapps/gitlab-shell/bin/gitlab-shell key-100"]) + output, status = run!(["-c/usr/share/webapps/gitlab-shell/bin/gitlab-shell", "key-100", "2foo"]) expect(output).to eq("Welcome to GitLab, @someuser!\n") expect(status).to be_success end it 'succeeds and prints username when a valid known user id is given in the middle of other input' do - output, status = run!(["-c/usr/share/webapps/gitlab-shell/bin/gitlab-shell user-10"]) + output, status = run!(["-c/usr/share/webapps/gitlab-shell/bin/gitlab-shell", "user-10", "2foo"]) expect(output).to eq("Welcome to GitLab, @someuser!\n") expect(status).to be_success end it 'succeeds and prints username when a valid known username is given in the middle of other input' do - output, status = run!(["-c/usr/share/webapps/gitlab-shell/bin/gitlab-shell username-someuser"]) + output, status = run!(["-c/usr/share/webapps/gitlab-shell/bin/gitlab-shell", "username-someuser" ,"foo"]) expect(output).to eq("Welcome to GitLab, @someuser!\n") expect(status).to be_success |