##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
issue-trackers: enforce a http or / patterns to avoid JS injections.
marcink -
r2334:0804fe0e default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -620,11 +620,11 b' class TestAdminSettingsIssueTracker(obje'
620 620 post_url = route_path('admin_settings_issuetracker_update')
621 621 post_data = {
622 622 'new_pattern_pattern_0': pattern,
623 'new_pattern_url_0': 'url',
623 'new_pattern_url_0': 'http://url',
624 624 'new_pattern_prefix_0': 'prefix',
625 625 'new_pattern_description_0': 'description',
626 626 'new_pattern_pattern_1': another_pattern,
627 'new_pattern_url_1': 'url1',
627 'new_pattern_url_1': 'https://url1',
628 628 'new_pattern_prefix_1': 'prefix1',
629 629 'new_pattern_description_1': 'description1',
630 630 'csrf_token': csrf_token
@@ -663,7 +663,7 b' class TestAdminSettingsIssueTracker(obje'
663 663 post_url = route_path('admin_settings_issuetracker_update')
664 664 post_data = {
665 665 'new_pattern_pattern_0': pattern,
666 'new_pattern_url_0': 'url',
666 'new_pattern_url_0': 'https://url',
667 667 'new_pattern_prefix_0': 'prefix',
668 668 'new_pattern_description_0': 'description',
669 669 'uid': old_uid,
@@ -697,7 +697,7 b' class TestAdminSettingsIssueTracker(obje'
697 697 post_url = route_path('admin_settings_issuetracker_update')
698 698 post_data = {
699 699 'new_pattern_pattern_0': pattern,
700 'new_pattern_url_0': 'url',
700 'new_pattern_url_0': 'https://url',
701 701 'new_pattern_prefix_0': 'prefix',
702 702 'new_pattern_description_0': new_description,
703 703 'uid': self.uid,
Show file before | Show file after | Hide comments
@@ -481,7 +481,15 b' class AdminSettingsView(BaseAppView):'
481 481 self.load_default_context()
482 482 settings_model = IssueTrackerSettingsModel()
483 483
484 form = IssueTrackerPatternsForm()().to_python(self.request.POST)
484 try:
485 form = IssueTrackerPatternsForm()().to_python(self.request.POST)
486 except formencode.Invalid as errors:
487 log.exception('Failed to add new pattern')
488 error = errors
489 h.flash(_('Invalid issue tracker pattern: {}'.format(error)),
490 category='error')
491 raise HTTPFound(h.route_path('admin_settings_issuetracker'))
492
485 493 if form:
486 494 for uid in form.get('delete_patterns', []):
487 495 settings_model.delete_entries(uid)
Show file before | Show file after | Hide comments
@@ -58,11 +58,11 b' class TestRepoIssueTracker(object):'
58 58 'edit_repo_issuetracker_update', repo_name=backend.repo.repo_name)
59 59 post_data = {
60 60 'new_pattern_pattern_0': pattern,
61 'new_pattern_url_0': 'url',
61 'new_pattern_url_0': 'http://url',
62 62 'new_pattern_prefix_0': 'prefix',
63 63 'new_pattern_description_0': 'description',
64 64 'new_pattern_pattern_1': another_pattern,
65 'new_pattern_url_1': 'url1',
65 'new_pattern_url_1': '/url1',
66 66 'new_pattern_prefix_1': 'prefix1',
67 67 'new_pattern_description_1': 'description1',
68 68 'csrf_token': csrf_token
@@ -84,7 +84,7 b' class TestRepoIssueTracker(object):'
84 84 extra_environ=xhr_header, params=data)
85 85
86 86 assert response.body == \
87 'example of <a class="issue-tracker-link" href="url">prefix</a> replacement'
87 'example of <a class="issue-tracker-link" href="http://url">prefix</a> replacement'
88 88
89 89 @request.addfinalizer
90 90 def cleanup():
@@ -106,7 +106,7 b' class TestRepoIssueTracker(object):'
106 106 'edit_repo_issuetracker_update', repo_name=backend.repo.repo_name)
107 107 post_data = {
108 108 'new_pattern_pattern_0': pattern,
109 'new_pattern_url_0': 'url',
109 'new_pattern_url_0': '/url',
110 110 'new_pattern_prefix_0': 'prefix',
111 111 'new_pattern_description_0': 'description',
112 112 'uid': old_uid,
Show file before | Show file after | Hide comments
@@ -22,6 +22,7 b' import logging'
22 22
23 23 from pyramid.httpexceptions import HTTPFound
24 24 from pyramid.view import view_config
25 import formencode
25 26
26 27 from rhodecode.apps._base import RepoAppView
27 28 from rhodecode.lib import audit_logger
@@ -116,7 +117,17 b' class RepoSettingsIssueTrackersView(Repo'
116 117 repo_settings.inherit_global_settings = inherited
117 118 Session().commit()
118 119
119 form = IssueTrackerPatternsForm()().to_python(self.request.POST)
120 try:
121 form = IssueTrackerPatternsForm()().to_python(self.request.POST)
122 except formencode.Invalid as errors:
123 log.exception('Failed to add new pattern')
124 error = errors
125 h.flash(_('Invalid issue tracker pattern: {}'.format(error)),
126 category='error')
127 raise HTTPFound(
128 h.route_path('edit_repo_issuetracker',
129 repo_name=self.db_repo_name))
130
120 131 if form:
121 132 self._update_patterns(form, repo_settings)
122 133
Show file before | Show file after | Hide comments
@@ -1081,6 +1081,9 b' def ValidAuthPlugins():'
1081 1081 def ValidPattern():
1082 1082
1083 1083 class _Validator(formencode.validators.FancyValidator):
1084 messages = {
1085 'bad_format': _(u'Url must start with http or /'),
1086 }
1084 1087
1085 1088 def _to_python(self, value, state):
1086 1089 patterns = []
@@ -1096,7 +1099,6 b' def ValidPattern():'
1096 1099
1097 1100 values = {
1098 1101 'issuetracker_pat': value.get(_field('pattern')),
1099 'issuetracker_pat': value.get(_field('pattern')),
1100 1102 'issuetracker_url': value.get(_field('url')),
1101 1103 'issuetracker_pref': value.get(_field('prefix')),
1102 1104 'issuetracker_desc': value.get(_field('description'))
@@ -1108,6 +1110,14 b' def ValidPattern():'
1108 1110 and values['issuetracker_url'])
1109 1111
1110 1112 if has_required_fields:
1113 # validate url that it starts with http or /
1114 # otherwise it can lead to JS injections
1115 # e.g specifig javascript:<malicios code>
1116 if not values['issuetracker_url'].startswith(('http', '/')):
1117 raise formencode.Invalid(
1118 self.message('bad_format', state),
1119 value, state)
1120
1111 1121 settings = [
1112 1122 ('_'.join((key, new_uid)), values[key], 'unicode')
1113 1123 for key in values]
General Comments 0
You need to be logged in to leave comments. Login now