Escape branch names in push instructions (!82448) · Merge requests · GitLab.org / GitLab

Dominic Couture requested to merge dcouture-escape-branch-name-init into master Mar 08, 2022

What does this MR do and why?

It was possible to setup a project with a default branch name that could cause trouble for someone who carelessly copy-pasted the push instructions. This MR escapes the branch name.

The backslash escapes aren't the prettiest but I felt like using shellescape for this edge case was better than building our custom logic that would quote the string.

Screenshots or screen recordings

With a default branch name of ;rm -rf /

Before (repro on .com)

After (GDK)

How to set up and validate locally

Create a group
Set the default branch name to something like ;rm -rf / or anything with shell special characters in Settings > Repository
Create an empty project and observe the escaped special characters

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Mar 08, 2022 by Dominic Couture

Escape branch names in push instructions

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports