##// END OF EJS Templates
issue-trackers: enforce a http or / patterns to avoid JS injections.
marcink -
r2334:0804fe0e default
parent child Browse files
Show More
@@ -620,11 +620,11 b' class TestAdminSettingsIssueTracker(obje'
620 post_url = route_path('admin_settings_issuetracker_update')
620 post_url = route_path('admin_settings_issuetracker_update')
621 post_data = {
621 post_data = {
622 'new_pattern_pattern_0': pattern,
622 'new_pattern_pattern_0': pattern,
623 'new_pattern_url_0': 'url',
623 'new_pattern_url_0': 'http://url',
624 'new_pattern_prefix_0': 'prefix',
624 'new_pattern_prefix_0': 'prefix',
625 'new_pattern_description_0': 'description',
625 'new_pattern_description_0': 'description',
626 'new_pattern_pattern_1': another_pattern,
626 'new_pattern_pattern_1': another_pattern,
627 'new_pattern_url_1': 'url1',
627 'new_pattern_url_1': 'https://url1',
628 'new_pattern_prefix_1': 'prefix1',
628 'new_pattern_prefix_1': 'prefix1',
629 'new_pattern_description_1': 'description1',
629 'new_pattern_description_1': 'description1',
630 'csrf_token': csrf_token
630 'csrf_token': csrf_token
@@ -663,7 +663,7 b' class TestAdminSettingsIssueTracker(obje'
663 post_url = route_path('admin_settings_issuetracker_update')
663 post_url = route_path('admin_settings_issuetracker_update')
664 post_data = {
664 post_data = {
665 'new_pattern_pattern_0': pattern,
665 'new_pattern_pattern_0': pattern,
666 'new_pattern_url_0': 'url',
666 'new_pattern_url_0': 'https://url',
667 'new_pattern_prefix_0': 'prefix',
667 'new_pattern_prefix_0': 'prefix',
668 'new_pattern_description_0': 'description',
668 'new_pattern_description_0': 'description',
669 'uid': old_uid,
669 'uid': old_uid,
@@ -697,7 +697,7 b' class TestAdminSettingsIssueTracker(obje'
697 post_url = route_path('admin_settings_issuetracker_update')
697 post_url = route_path('admin_settings_issuetracker_update')
698 post_data = {
698 post_data = {
699 'new_pattern_pattern_0': pattern,
699 'new_pattern_pattern_0': pattern,
700 'new_pattern_url_0': 'url',
700 'new_pattern_url_0': 'https://url',
701 'new_pattern_prefix_0': 'prefix',
701 'new_pattern_prefix_0': 'prefix',
702 'new_pattern_description_0': new_description,
702 'new_pattern_description_0': new_description,
703 'uid': self.uid,
703 'uid': self.uid,
@@ -481,7 +481,15 b' class AdminSettingsView(BaseAppView):'
481 self.load_default_context()
481 self.load_default_context()
482 settings_model = IssueTrackerSettingsModel()
482 settings_model = IssueTrackerSettingsModel()
483
483
484 form = IssueTrackerPatternsForm()().to_python(self.request.POST)
484 try:
485 form = IssueTrackerPatternsForm()().to_python(self.request.POST)
486 except formencode.Invalid as errors:
487 log.exception('Failed to add new pattern')
488 error = errors
489 h.flash(_('Invalid issue tracker pattern: {}'.format(error)),
490 category='error')
491 raise HTTPFound(h.route_path('admin_settings_issuetracker'))
492
485 if form:
493 if form:
486 for uid in form.get('delete_patterns', []):
494 for uid in form.get('delete_patterns', []):
487 settings_model.delete_entries(uid)
495 settings_model.delete_entries(uid)
@@ -58,11 +58,11 b' class TestRepoIssueTracker(object):'
58 'edit_repo_issuetracker_update', repo_name=backend.repo.repo_name)
58 'edit_repo_issuetracker_update', repo_name=backend.repo.repo_name)
59 post_data = {
59 post_data = {
60 'new_pattern_pattern_0': pattern,
60 'new_pattern_pattern_0': pattern,
61 'new_pattern_url_0': 'url',
61 'new_pattern_url_0': 'http://url',
62 'new_pattern_prefix_0': 'prefix',
62 'new_pattern_prefix_0': 'prefix',
63 'new_pattern_description_0': 'description',
63 'new_pattern_description_0': 'description',
64 'new_pattern_pattern_1': another_pattern,
64 'new_pattern_pattern_1': another_pattern,
65 'new_pattern_url_1': 'url1',
65 'new_pattern_url_1': '/url1',
66 'new_pattern_prefix_1': 'prefix1',
66 'new_pattern_prefix_1': 'prefix1',
67 'new_pattern_description_1': 'description1',
67 'new_pattern_description_1': 'description1',
68 'csrf_token': csrf_token
68 'csrf_token': csrf_token
@@ -84,7 +84,7 b' class TestRepoIssueTracker(object):'
84 extra_environ=xhr_header, params=data)
84 extra_environ=xhr_header, params=data)
85
85
86 assert response.body == \
86 assert response.body == \
87 'example of <a class="issue-tracker-link" href="url">prefix</a> replacement'
87 'example of <a class="issue-tracker-link" href="http://url">prefix</a> replacement'
88
88
89 @request.addfinalizer
89 @request.addfinalizer
90 def cleanup():
90 def cleanup():
@@ -106,7 +106,7 b' class TestRepoIssueTracker(object):'
106 'edit_repo_issuetracker_update', repo_name=backend.repo.repo_name)
106 'edit_repo_issuetracker_update', repo_name=backend.repo.repo_name)
107 post_data = {
107 post_data = {
108 'new_pattern_pattern_0': pattern,
108 'new_pattern_pattern_0': pattern,
109 'new_pattern_url_0': 'url',
109 'new_pattern_url_0': '/url',
110 'new_pattern_prefix_0': 'prefix',
110 'new_pattern_prefix_0': 'prefix',
111 'new_pattern_description_0': 'description',
111 'new_pattern_description_0': 'description',
112 'uid': old_uid,
112 'uid': old_uid,
@@ -22,6 +22,7 b' import logging'
22
22
23 from pyramid.httpexceptions import HTTPFound
23 from pyramid.httpexceptions import HTTPFound
24 from pyramid.view import view_config
24 from pyramid.view import view_config
25 import formencode
25
26
26 from rhodecode.apps._base import RepoAppView
27 from rhodecode.apps._base import RepoAppView
27 from rhodecode.lib import audit_logger
28 from rhodecode.lib import audit_logger
@@ -116,7 +117,17 b' class RepoSettingsIssueTrackersView(Repo'
116 repo_settings.inherit_global_settings = inherited
117 repo_settings.inherit_global_settings = inherited
117 Session().commit()
118 Session().commit()
118
119
119 form = IssueTrackerPatternsForm()().to_python(self.request.POST)
120 try:
121 form = IssueTrackerPatternsForm()().to_python(self.request.POST)
122 except formencode.Invalid as errors:
123 log.exception('Failed to add new pattern')
124 error = errors
125 h.flash(_('Invalid issue tracker pattern: {}'.format(error)),
126 category='error')
127 raise HTTPFound(
128 h.route_path('edit_repo_issuetracker',
129 repo_name=self.db_repo_name))
130
120 if form:
131 if form:
121 self._update_patterns(form, repo_settings)
132 self._update_patterns(form, repo_settings)
122
133
@@ -1081,6 +1081,9 b' def ValidAuthPlugins():'
1081 def ValidPattern():
1081 def ValidPattern():
1082
1082
1083 class _Validator(formencode.validators.FancyValidator):
1083 class _Validator(formencode.validators.FancyValidator):
1084 messages = {
1085 'bad_format': _(u'Url must start with http or /'),
1086 }
1084
1087
1085 def _to_python(self, value, state):
1088 def _to_python(self, value, state):
1086 patterns = []
1089 patterns = []
@@ -1096,7 +1099,6 b' def ValidPattern():'
1096
1099
1097 values = {
1100 values = {
1098 'issuetracker_pat': value.get(_field('pattern')),
1101 'issuetracker_pat': value.get(_field('pattern')),
1099 'issuetracker_pat': value.get(_field('pattern')),
1100 'issuetracker_url': value.get(_field('url')),
1102 'issuetracker_url': value.get(_field('url')),
1101 'issuetracker_pref': value.get(_field('prefix')),
1103 'issuetracker_pref': value.get(_field('prefix')),
1102 'issuetracker_desc': value.get(_field('description'))
1104 'issuetracker_desc': value.get(_field('description'))
@@ -1108,6 +1110,14 b' def ValidPattern():'
1108 and values['issuetracker_url'])
1110 and values['issuetracker_url'])
1109
1111
1110 if has_required_fields:
1112 if has_required_fields:
1113 # validate url that it starts with http or /
1114 # otherwise it can lead to JS injections
1115 # e.g specifig javascript:<malicios code>
1116 if not values['issuetracker_url'].startswith(('http', '/')):
1117 raise formencode.Invalid(
1118 self.message('bad_format', state),
1119 value, state)
1120
1111 settings = [
1121 settings = [
1112 ('_'.join((key, new_uid)), values[key], 'unicode')
1122 ('_'.join((key, new_uid)), values[key], 'unicode')
1113 for key in values]
1123 for key in values]
General Comments 0
You need to be logged in to leave comments. Login now