Skip to content

G
gitlab-ce
Commit 9ea885f2 authored by Michelle Gill's avatar Michelle Gill
Browse files
Options

Return only safe urls for mirrors

parent 1218d19e
Show whitespace changes
Inline Side-by-side
Showing with 18 additions and 4 deletions
app/serializers/remote_mirror_entity.rb
View file @ 9ea885f2
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
class RemoteMirrorEntity < Grape::Entity class RemoteMirrorEntity < Grape::Entity
expose :id expose :id
expose :url expose :safe_url, as: :url
expose :enabled expose :enabled
expose :auth_method expose :auth_method
......
changelogs/unreleased/security-mirror-urls.yml 0 → 100644
View file @ 9ea885f2
---
title: Return only safe urls for mirrors
merge_request:
author:
type: security
ee/app/serializers/ee/project_mirror_entity.rb
View file @ 9ea885f2
...@@ -6,7 +6,7 @@ module EE ...@@ -6,7 +6,7 @@ module EE
prepended do prepended do
expose :mirror expose :mirror
expose :import_url expose :safe_import_url, as: :import_url
expose :username_only_import_url expose :username_only_import_url
expose :mirror_user_id expose :mirror_user_id
expose :mirror_trigger_builds expose :mirror_trigger_builds
......
ee/spec/serializers/project_mirror_entity_spec.rb
View file @ 9ea885f2
...@@ -18,7 +18,7 @@ describe ProjectMirrorEntity do ...@@ -18,7 +18,7 @@ describe ProjectMirrorEntity do
is_expected.to eq( is_expected.to eq(
id: project.id, id: project.id,
mirror: true, mirror: true,
import_url: project.import_url, import_url: project.safe_import_url,
username_only_import_url: project.username_only_import_url, username_only_import_url: project.username_only_import_url,
mirror_user_id: project.mirror_user_id, mirror_user_id: project.mirror_user_id,
mirror_trigger_builds: project.mirror_trigger_builds, mirror_trigger_builds: project.mirror_trigger_builds,
...@@ -36,6 +36,10 @@ describe ProjectMirrorEntity do ...@@ -36,6 +36,10 @@ describe ProjectMirrorEntity do
remote_mirrors_attributes: [] remote_mirrors_attributes: []
) )
end end
it 'excludes password information' do
expect(subject[:import_url]).not_to include('password')
end
end end
context 'SSH public-key authentication' do context 'SSH public-key authentication' do
......
spec/serializers/remote_mirror_entity_spec.rb
View file @ 9ea885f2
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
require 'spec_helper' require 'spec_helper'
describe RemoteMirrorEntity do describe RemoteMirrorEntity do
let(:project) { create(:project, :repository, :remote_mirror) } let(:project) { create(:project, :repository, :remote_mirror, url: "https://test:password@gitlab.com") }
let(:remote_mirror) { project.remote_mirrors.first } let(:remote_mirror) { project.remote_mirrors.first }
let(:entity) { described_class.new(remote_mirror) } let(:entity) { described_class.new(remote_mirror) }
...@@ -15,4 +15,9 @@ describe RemoteMirrorEntity do ...@@ -15,4 +15,9 @@ describe RemoteMirrorEntity do
:ssh_known_hosts, :ssh_public_key, :ssh_known_hosts_fingerprints :ssh_known_hosts, :ssh_public_key, :ssh_known_hosts_fingerprints
) )
end end
it 'does not expose password information' do
expect(subject[:url]).not_to include('password')
expect(subject[:url]).to eq(remote_mirror.safe_url)
end
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7