##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
security: fix self-xss inside repo strip view.
ergo -
r1809:86482ba7 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,114 +1,116 b''
1 # -*- coding: utf-8 -*-
1 # -*- coding: utf-8 -*-
2
2
3 # Copyright (C) 2017-2017 RhodeCode GmbH
3 # Copyright (C) 2017-2017 RhodeCode GmbH
4 #
4 #
5 # This program is free software: you can redistribute it and/or modify
5 # This program is free software: you can redistribute it and/or modify
6 # it under the terms of the GNU Affero General Public License, version 3
6 # it under the terms of the GNU Affero General Public License, version 3
7 # (only), as published by the Free Software Foundation.
7 # (only), as published by the Free Software Foundation.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU Affero General Public License
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 #
16 #
17 # This program is dual-licensed. If you wish to learn more about the
17 # This program is dual-licensed. If you wish to learn more about the
18 # RhodeCode Enterprise Edition, including its added features, Support services,
18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20
20
21 import logging
21 import logging
22 from pyramid.view import view_config
22 from pyramid.view import view_config
23
23
24 from rhodecode.apps._base import RepoAppView
24 from rhodecode.apps._base import RepoAppView
25 from rhodecode.lib import audit_logger
25 from rhodecode.lib import audit_logger
26 from rhodecode.lib import helpers as h
26 from rhodecode.lib.auth import (LoginRequired, HasRepoPermissionAnyDecorator,
27 from rhodecode.lib.auth import (LoginRequired, HasRepoPermissionAnyDecorator,
27 NotAnonymous)
28 NotAnonymous)
28 from rhodecode.lib.ext_json import json
29 from rhodecode.lib.ext_json import json
29
30
30 log = logging.getLogger(__name__)
31 log = logging.getLogger(__name__)
31
32
32
33
33 class StripView(RepoAppView):
34 class StripView(RepoAppView):
34 def load_default_context(self):
35 def load_default_context(self):
35 c = self._get_local_tmpl_context()
36 c = self._get_local_tmpl_context()
36
37
37 # TODO(marcink): remove repo_info and use c.rhodecode_db_repo instead
38 # TODO(marcink): remove repo_info and use c.rhodecode_db_repo instead
38 c.repo_info = self.db_repo
39 c.repo_info = self.db_repo
39
40
40 self._register_global_c(c)
41 self._register_global_c(c)
41 return c
42 return c
42
43
43 @LoginRequired()
44 @LoginRequired()
44 @HasRepoPermissionAnyDecorator('repository.admin')
45 @HasRepoPermissionAnyDecorator('repository.admin')
45 @view_config(
46 @view_config(
46 route_name='strip', request_method='GET',
47 route_name='strip', request_method='GET',
47 renderer='rhodecode:templates/admin/repos/repo_edit.mako')
48 renderer='rhodecode:templates/admin/repos/repo_edit.mako')
48 def strip(self):
49 def strip(self):
49 c = self.load_default_context()
50 c = self.load_default_context()
50 c.active = 'strip'
51 c.active = 'strip'
51 c.strip_limit = 10
52 c.strip_limit = 10
52
53
53 return self._get_template_context(c)
54 return self._get_template_context(c)
54
55
55 @LoginRequired()
56 @LoginRequired()
56 @HasRepoPermissionAnyDecorator('repository.admin')
57 @HasRepoPermissionAnyDecorator('repository.admin')
57 @view_config(
58 @view_config(
58 route_name='strip_check', request_method='POST',
59 route_name='strip_check', request_method='POST',
59 renderer='json', xhr=True)
60 renderer='json', xhr=True)
60 def strip_check(self):
61 def strip_check(self):
61 from rhodecode.lib.vcs.backends.base import EmptyCommit
62 from rhodecode.lib.vcs.backends.base import EmptyCommit
62 data = {}
63 data = {}
63 rp = self.request.POST
64 rp = self.request.POST
64 for i in range(1, 11):
65 for i in range(1, 11):
65 chset = 'changeset_id-%d' % (i,)
66 chset = 'changeset_id-%d' % (i,)
66 check = rp.get(chset)
67 check = rp.get(chset)
68
67 if check:
69 if check:
68 data[i] = self.db_repo.get_changeset(rp[chset])
70 data[i] = self.db_repo.get_changeset(rp[chset])
69 if isinstance(data[i], EmptyCommit):
71 if isinstance(data[i], EmptyCommit):
70 data[i] = {'rev': None, 'commit': rp[chset]}
72 data[i] = {'rev': None, 'commit': h.escape(rp[chset])}
71 else:
73 else:
72 data[i] = {'rev': data[i].raw_id, 'branch': data[i].branch,
74 data[i] = {'rev': data[i].raw_id, 'branch': data[i].branch,
73 'author': data[i].author,
75 'author': data[i].author,
74 'comment': data[i].message}
76 'comment': data[i].message}
75 else:
77 else:
76 break
78 break
77 return data
79 return data
78
80
79 @LoginRequired()
81 @LoginRequired()
80 @HasRepoPermissionAnyDecorator('repository.admin')
82 @HasRepoPermissionAnyDecorator('repository.admin')
81 @view_config(
83 @view_config(
82 route_name='strip_execute', request_method='POST',
84 route_name='strip_execute', request_method='POST',
83 renderer='json', xhr=True)
85 renderer='json', xhr=True)
84 def strip_execute(self):
86 def strip_execute(self):
85 from rhodecode.model.scm import ScmModel
87 from rhodecode.model.scm import ScmModel
86
88
87 c = self.load_default_context()
89 c = self.load_default_context()
88 user = self._rhodecode_user
90 user = self._rhodecode_user
89 rp = self.request.POST
91 rp = self.request.POST
90 data = {}
92 data = {}
91 for idx in rp:
93 for idx in rp:
92 commit = json.loads(rp[idx])
94 commit = json.loads(rp[idx])
93 # If someone put two times the same branch
95 # If someone put two times the same branch
94 if commit['branch'] in data.keys():
96 if commit['branch'] in data.keys():
95 continue
97 continue
96 try:
98 try:
97 ScmModel().strip(
99 ScmModel().strip(
98 repo=c.repo_info,
100 repo=c.repo_info,
99 commit_id=commit['rev'], branch=commit['branch'])
101 commit_id=commit['rev'], branch=commit['branch'])
100 log.info('Stripped commit %s from repo `%s` by %s' % (
102 log.info('Stripped commit %s from repo `%s` by %s' % (
101 commit['rev'], c.repo_info.repo_name, user))
103 commit['rev'], c.repo_info.repo_name, user))
102 data[commit['rev']] = True
104 data[commit['rev']] = True
103
105
104 audit_logger.store_web(
106 audit_logger.store_web(
105 action='repo.commit.strip',
107 action='repo.commit.strip',
106 action_data={'commit_id': commit['rev']},
108 action_data={'commit_id': commit['rev']},
107 repo=self.db_repo,
109 repo=self.db_repo,
108 user=self._rhodecode_user, commit=True)
110 user=self._rhodecode_user, commit=True)
109
111
110 except Exception as e:
112 except Exception as e:
111 data[commit['rev']] = False
113 data[commit['rev']] = False
112 log.debug('Stripped commit %s from repo `%s` failed by %s, exeption %s' % (
114 log.debug('Stripped commit %s from repo `%s` failed by %s, exeption %s' % (
113 commit['rev'], self.db_repo_name, user, e.message))
115 commit['rev'], self.db_repo_name, user, e.message))
114 return data
116 return data
General Comments 0
You need to be logged in to leave comments. Login now