Commit 1e14c3c8 authored by Bob Van Landuyt's avatar Bob Van Landuyt

Reject paths following namespace for paths including 2 `*`

Reject the part following `/*namespace_id/:project_id` for paths
containing 2 wildcard parameters
parent 2c7ca43b
...@@ -70,10 +70,10 @@ class DynamicPathValidator < ActiveModel::EachValidator ...@@ -70,10 +70,10 @@ class DynamicPathValidator < ActiveModel::EachValidator
# 'tree' as project name and 'deploy_keys' as route. # 'tree' as project name and 'deploy_keys' as route.
# #
WILDCARD_ROUTES = Set.new(%w[ WILDCARD_ROUTES = Set.new(%w[
artifacts
badges badges
blame blame
blob blob
builds
commits commits
create create
create_dir create_dir
...@@ -83,10 +83,10 @@ class DynamicPathValidator < ActiveModel::EachValidator ...@@ -83,10 +83,10 @@ class DynamicPathValidator < ActiveModel::EachValidator
find_file find_file
gitlab-lfs/objects gitlab-lfs/objects
info/lfs/objects info/lfs/objects
logs_tree
new new
preview preview
raw raw
refs
tree tree
update update
wikis wikis
......
...@@ -13,29 +13,28 @@ describe DynamicPathValidator do ...@@ -13,29 +13,28 @@ describe DynamicPathValidator do
# That's not a parameter # That's not a parameter
# `/*namespace_id/:project_id/builds/artifacts/*ref_name_and_path` # `/*namespace_id/:project_id/builds/artifacts/*ref_name_and_path`
# -> 'builds/artifacts' # -> 'builds/artifacts'
def path_between_wildcards(path) def path_before_wildcard(path)
path = path.gsub(STARTING_WITH_NAMESPACE, "") path = path.gsub(STARTING_WITH_NAMESPACE, "")
path_segments = path.split('/').reject(&:empty?) path_segments = path.split('/').reject(&:empty?)
wildcard_index = path_segments.index { |segment| segment.starts_with?('*') } wildcard_index = path_segments.index { |segment| parameter?(segment) }
segments_before_wildcard = path_segments[0..wildcard_index - 1] segments_before_wildcard = path_segments[0..wildcard_index - 1]
param_index = segments_before_wildcard.index { |segment| segment.starts_with?(':') } segments_before_wildcard.join('/')
if param_index
segments_before_wildcard = segments_before_wildcard[param_index + 1..-1]
end end
segments_before_wildcard.join('/') def parameter?(segment)
segment =~ /[*:]/
end end
# If the path is reserved. Then no conflicting paths can# be created for any # If the path is reserved. Then no conflicting paths can# be created for any
# route using this reserved word. # route using this reserved word.
# #
# Both `builds/artifacts` & `artifacts/file` are covered by reserving the word # Both `builds/artifacts` & `build` are covered by reserving the word
# `artifacts` # `build`
def wildcards_include?(path) def wildcards_include?(path)
described_class::WILDCARD_ROUTES.include?(path) || described_class::WILDCARD_ROUTES.include?(path) ||
path.split('/').any? { |segment| described_class::WILDCARD_ROUTES.include?(segment) } described_class::WILDCARD_ROUTES.include?(path.split('/').first)
end end
let(:all_routes) do let(:all_routes) do
...@@ -83,7 +82,10 @@ describe DynamicPathValidator do ...@@ -83,7 +82,10 @@ describe DynamicPathValidator do
# -> ['builds/artifacts', 'info/lfs/objects', 'commits', 'artifacts/file'] # -> ['builds/artifacts', 'info/lfs/objects', 'commits', 'artifacts/file']
let(:all_wildcard_paths) do let(:all_wildcard_paths) do
namespaced_wildcard_routes.map do |route| namespaced_wildcard_routes.map do |route|
path_between_wildcards(route) path_before_wildcard(route)
end.uniq
end
end.uniq end.uniq
end end
...@@ -114,7 +116,7 @@ describe DynamicPathValidator do ...@@ -114,7 +116,7 @@ describe DynamicPathValidator do
to be_truthy to be_truthy
end end
it 'skips partial path matchies' do it 'skips partial path matches' do
expect(described_class.contains_path_part?('some/user1/path', 'user')). expect(described_class.contains_path_part?('some/user1/path', 'user')).
to be_falsy to be_falsy
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment