Add filter param sanitization

485b8b86 · George Koltsov · 94e1404c · 485b8b86 · 485b8b86 · 485b8b86
Commit 485b8b86 authored Aug 06, 2019 by George Koltsov
3 changed files
--- a/app/controllers/import/bitbucket_server_controller.rb
+++ b/app/controllers/import/bitbucket_server_controller.rb
 # frozen_string_literal: true

 class Import::BitbucketServerController < Import::BaseController
+  include ActionView::Helpers::SanitizeHelper
+
  before_action :verify_bitbucket_server_import_enabled
  before_action :bitbucket_auth, except: [:new, :configure]
  before_action :validate_import_params, only: [:create]
@@ -57,7 +59,7 @@ class Import::BitbucketServerController < Import::BaseController

  # rubocop: disable CodeReuse/ActiveRecord
  def status
-    @collection = bitbucket_client.repos(page_offset: page_offset, limit: limit_per_page, filter: params[:filter])
+    @collection = bitbucket_client.repos(page_offset: page_offset, limit: limit_per_page, filter: sanitized_filter_param)
    @repos, @incompatible_repos = @collection.partition { |repo| repo.valid? }

    # Use the import URL to filter beyond what BaseService#find_already_added_projects
@@ -147,4 +149,8 @@ class Import::BitbucketServerController < Import::BaseController
  def limit_per_page
    BitbucketServer::Paginator::PAGE_LENGTH
  end
+
+  def sanitized_filter_param
+    sanitize(params[:filter])
+  end
 end
--- a/app/views/import/bitbucket_server/status.html.haml
+++ b/app/views/import/bitbucket_server/status.html.haml
@@ -23,7 +23,7 @@

 .input-btn-group.float-right
  = form_tag status_import_bitbucket_server_path, :method => 'get' do
-    = text_field_tag :filter, params[:filter], class: 'form-control append-bottom-10', placeholder: _('Filter your projects by name'), size: 40, autoFocus: true
+    = text_field_tag :filter, sanitize(params[:filter]), class: 'form-control append-bottom-10', placeholder: _('Filter your projects by name'), size: 40, autoFocus: true

 .table-responsive.prepend-top-10
  %table.table.import-jobs

--- a/doc/user/project/import/bitbucket_server.md
+++ b/doc/user/project/import/bitbucket_server.md
@@ -32,8 +32,8 @@ Import your projects from Bitbucket Server to GitLab with minimal effort.
 1. Attachments in Markdown are currently not imported.
 1. Task lists are not imported.
 1. Emoji reactions are not imported
-1. Project filtering does not support fuzzy search (only starts with or full
-   match strings are currently supported)
+1. Project filtering does not support fuzzy search (only `starts with` or `full
+   match strings` are currently supported)

 ## How it works