Merge branch 'verify_ref_name_in_commits_api' into 'master'

Return an error for an invalid ref_name See merge request gitlab-org/gitlab!79531

Merge branch 'verify_ref_name_in_commits_api' into 'master'
Return an error for an invalid ref_name See merge request gitlab-org/gitlab!79531
32a93d55 · Mayra Cabrera · a01669c3 · ca87a513 · 32a93d55 · 32a93d55
Commit 32a93d55 authored Feb 09, 2022 by Mayra Cabrera
4 changed files
--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -32,7 +32,7 @@ module API
        success Entities::Commit
      end
      params do
-        optional :ref_name, type: String, desc: 'The name of a repository branch or tag, if not given the default branch is used'
+        optional :ref_name, type: String, desc: 'The name of a repository branch or tag, if not given the default branch is used', regexp: /\A#{Gitlab::PathRegex.git_reference_regex}\z|\A\z/
        optional :since, type: DateTime, desc: 'Only commits after or on this date will be returned'
        optional :until, type: DateTime, desc: 'Only commits before or on this date will be returned'
        optional :path, type: String, desc: 'The file path'

--- a/lib/gitlab/path_regex.rb
+++ b/lib/gitlab/path_regex.rb
@@ -234,7 +234,7 @@ module Gitlab
      @git_reference_regex ||= single_line_regexp %r{
        (?!
           (?# doesn't begins with)
-           \/|                    (?# rule #6)
+           \/|-|                  (?# rule #6)
           (?# doesn't contain)
           .*(?:
              [\/.]\.|            (?# rule #1,3)

--- a/spec/lib/gitlab/path_regex_spec.rb
+++ b/spec/lib/gitlab/path_regex_spec.rb
@@ -530,6 +530,18 @@ RSpec.describe Gitlab::PathRegex do
      it { is_expected.not_to match('snippets/1.wiki.git') }
    end

+    describe '.git_reference_regex' do
+      subject { %r{\A#{described_class.git_reference_regex}\z} }
+
+      it { is_expected.to match('main') }
+      it { is_expected.to match('v1.2.3') }
+      it { is_expected.to match('refs/heads/main') }
+      it { is_expected.to match('1-2-3') }
+      it { is_expected.to match('1-----') }
+      it { is_expected.not_to match('-main') }
+      it { is_expected.not_to match('') }
+    end
+
    describe '.full_snippets_repository_path_regex' do
      subject { described_class.full_snippets_repository_path_regex }


--- a/spec/requests/api/commits_spec.rb
+++ b/spec/requests/api/commits_spec.rb
@@ -127,6 +127,14 @@ RSpec.describe API::Commits do
        it_behaves_like 'project commits'
      end

+      context 'with incorrect ref_name parameter' do
+        let(:route) { "/projects/#{project_id}/repository/commits?ref_name=-main" }
+
+        it_behaves_like '400 response' do
+          let(:request) { get api(route, user) }
+        end
+      end
+
      context "path optional parameter" do
        it "returns project commits matching provided path parameter" do
          path = 'files/ruby/popen.rb'