Commit b40ea0f1 authored by Rémy Coutable's avatar Rémy Coutable 🔴

Merge branch 'sh-validate-ref-name-in-commit' into 'master'

Validate refs used in controllers don't have spaces

Closes #58572 and gitaly#1425

See merge request gitlab-org/gitlab-ce!24037
parents b15a78df e675fe46
Pipeline #56866821 passed with stages
in 50 minutes and 46 seconds
---
title: Validate refs used in controllers don't have spaces
merge_request: 24037
author:
type: other
......@@ -113,6 +113,9 @@ module ExtractsPath
@id = get_id
@ref, @path = extract_ref(@id)
@repo = @project.repository
@ref.strip!
raise InvalidPathError if @ref.match?(/\s/)
@commit = @repo.commit(@ref)
......
......@@ -74,6 +74,26 @@ describe Projects::TreeController do
end
end
describe 'GET show with whitespace in ref' do
render_views
let(:id) { "this ref/api/responses" }
it 'does not call make a Gitaly request' do
allow(::Gitlab::GitalyClient).to receive(:call).and_call_original
expect(::Gitlab::GitalyClient).not_to receive(:call).with(anything, :commit_service, :find_commit, anything, anything)
get(:show,
params: {
namespace_id: project.namespace.to_param,
project_id: project,
id: id
})
expect(response).to have_gitlab_http_status(:not_found)
end
end
describe 'GET show with blob path' do
render_views
......
......@@ -44,6 +44,36 @@ describe ExtractsPath do
end
end
context 'ref contains trailing space' do
let(:ref) { 'master ' }
it 'strips surrounding space' do
assign_ref_vars
expect(@ref).to eq('master')
end
end
context 'ref contains leading space' do
let(:ref) { ' master ' }
it 'strips surrounding space' do
assign_ref_vars
expect(@ref).to eq('master')
end
end
context 'ref contains space in the middle' do
let(:ref) { 'master plan ' }
it 'returns 404' do
expect(self).to receive(:render_404)
assign_ref_vars
end
end
context 'path contains space' do
let(:params) { { path: 'with space', ref: '38008cb17ce1466d8fec2dfa6f6ab8dcfe5cf49e' } }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment