Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
05aac11a
Commit
05aac11a
authored
Sep 01, 2020
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@13-3-stable-ee
parent
d40003af
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
43 additions
and
0 deletions
+43
-0
app/services/projects/update_remote_mirror_service.rb
app/services/projects/update_remote_mirror_service.rb
+4
-0
changelogs/unreleased/215879-check-validity-of-repository-mirror-urls.yml
...eased/215879-check-validity-of-repository-mirror-urls.yml
+5
-0
spec/services/projects/update_remote_mirror_service_spec.rb
spec/services/projects/update_remote_mirror_service_spec.rb
+34
-0
No files found.
app/services/projects/update_remote_mirror_service.rb
View file @
05aac11a
...
@@ -7,6 +7,10 @@ module Projects
...
@@ -7,6 +7,10 @@ module Projects
def
execute
(
remote_mirror
,
tries
)
def
execute
(
remote_mirror
,
tries
)
return
success
unless
remote_mirror
.
enabled?
return
success
unless
remote_mirror
.
enabled?
if
Gitlab
::
UrlBlocker
.
blocked_url?
(
CGI
.
unescape
(
Gitlab
::
UrlSanitizer
.
sanitize
(
remote_mirror
.
url
)))
return
error
(
"The remote mirror URL is invalid."
)
end
update_mirror
(
remote_mirror
)
update_mirror
(
remote_mirror
)
success
success
...
...
changelogs/unreleased/215879-check-validity-of-repository-mirror-urls.yml
0 → 100644
View file @
05aac11a
---
title
:
Check validity of project's import_url before mirroring repository
merge_request
:
author
:
type
:
security
spec/services/projects/update_remote_mirror_service_spec.rb
View file @
05aac11a
...
@@ -56,6 +56,40 @@ RSpec.describe Projects::UpdateRemoteMirrorService do
...
@@ -56,6 +56,40 @@ RSpec.describe Projects::UpdateRemoteMirrorService do
expect
(
remote_mirror
.
last_error
).
to
include
(
'Badly broken'
)
expect
(
remote_mirror
.
last_error
).
to
include
(
'Badly broken'
)
end
end
context
'when the URL is blocked'
do
before
do
allow
(
Gitlab
::
UrlBlocker
).
to
receive
(
:blocked_url?
).
and_return
(
true
)
end
it
'fails and returns error status'
do
expect
(
execute!
).
to
eq
(
status: :error
,
message:
'The remote mirror URL is invalid.'
)
end
end
context
"when given URLs containing escaped elements"
do
using
RSpec
::
Parameterized
::
TableSyntax
where
(
:url
,
:result_status
)
do
"https://user:0a%23@test.example.com/project.git"
|
:success
"https://git.example.com:1%2F%2F@source.developers.google.com/project.git"
|
:success
CGI
.
escape
(
"git://localhost:1234/some-path?some-query=some-val
\#
@example.com/"
)
|
:error
CGI
.
escape
(
CGI
.
escape
(
"https://user:0a%23@test.example.com/project.git"
))
|
:error
end
with_them
do
before
do
allow
(
remote_mirror
).
to
receive
(
:url
).
and_return
(
url
)
allow
(
service
).
to
receive
(
:update_mirror
).
with
(
remote_mirror
).
and_return
(
true
)
end
it
"returns expected status"
do
result
=
execute!
expect
(
result
[
:status
]).
to
eq
(
result_status
)
end
end
end
context
'when the update fails because of a `Gitlab::Git::CommandError`'
do
context
'when the update fails because of a `Gitlab::Git::CommandError`'
do
before
do
before
do
allow
(
remote_mirror
).
to
receive
(
:update_repository
)
allow
(
remote_mirror
).
to
receive
(
:update_repository
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment