added import url exposer to construct URL withunencrypted credentials

c2b33d3b · James Lopez · 06b36c00 · c2b33d3b · c2b33d3b · c2b33d3b
Commit c2b33d3b authored Mar 04, 2016 by James Lopez
5 changed files
--- a/app/models/project_import_data.rb
+++ b/app/models/project_import_data.rb
@@ -13,6 +13,7 @@ require 'file_size_validator'
 class ProjectImportData < ActiveRecord::Base
  belongs_to :project
  attr_encrypted :credentials, key: Gitlab::Application.secrets.db_key_base
+  serialize :credentials, JSON

  serialize :data, JSON


--- a/lib/gitlab/github_import/importer.rb
+++ b/lib/gitlab/github_import/importer.rb
@@ -7,8 +7,7 @@ module Gitlab

      def initialize(project)
        @project = project
-        import_data = project.import_data.try(:data)
-        github_session = import_data["github_session"] if import_data
+        github_session = project.import_data.credentials if import_data
        @client = Client.new(github_session["github_access_token"])
        @formatter = Gitlab::ImportFormatter.new
      end

--- a/lib/gitlab/github_import/project_creator.rb
+++ b/lib/gitlab/github_import/project_creator.rb
@@ -32,8 +32,8 @@ module Gitlab

      def create_import_data(project)
        project.create_import_data(
-          credentials: session_data.delete(:github_access_token),
-          data: { "github_session" => session_data })
+          credentials: { github_access_token: session_data.delete(:github_access_token) },
+          data: { github_session: session_data })
      end
    end
  end

--- a/lib/gitlab/github_import/wiki_formatter.rb
+++ b/lib/gitlab/github_import/wiki_formatter.rb
@@ -12,7 +12,9 @@ module Gitlab
      end

      def import_url
-        project.import_url.sub(/\.git\z/, ".wiki.git")
+        import_url = Gitlab::ImportUrlExposer.expose(import_url: project.import_url,
+                                                     credentials: project.import_data.credentials)
+        import_url.sub(/\.git\z/, ".wiki.git")
      end
    end
  end

--- a/lib/gitlab/import_url_exposer.rb
+++ b/lib/gitlab/import_url_exposer.rb
+module Gitlab
+  # Exposes an import URL that includes the credentials unencrypted.
+  # Extracted to its own class to prevent unintended use.
+  module ImportUrlExposer
+    extend self
+
+    def expose(import_url:, credentials: )
+      import_url.sub("//", "//#{parsed_credentials(credentials)}@")
+    end
+
+    private
+
+    def parsed_credentials(credentials)
+      credentials.values.join(":")
+    end
+  end
+end
\ No newline at end of file