##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
security: fix XSS in repo strip view.
ergo -
r2155:a81b6ebb default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,113 +1,113 b''
1 # -*- coding: utf-8 -*-
1 # -*- coding: utf-8 -*-
2
2
3 # Copyright (C) 2017-2017 RhodeCode GmbH
3 # Copyright (C) 2017-2017 RhodeCode GmbH
4 #
4 #
5 # This program is free software: you can redistribute it and/or modify
5 # This program is free software: you can redistribute it and/or modify
6 # it under the terms of the GNU Affero General Public License, version 3
6 # it under the terms of the GNU Affero General Public License, version 3
7 # (only), as published by the Free Software Foundation.
7 # (only), as published by the Free Software Foundation.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU Affero General Public License
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 #
16 #
17 # This program is dual-licensed. If you wish to learn more about the
17 # This program is dual-licensed. If you wish to learn more about the
18 # RhodeCode Enterprise Edition, including its added features, Support services,
18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20
20
21 import logging
21 import logging
22 from pyramid.view import view_config
22 from pyramid.view import view_config
23
23
24 from rhodecode.apps._base import RepoAppView
24 from rhodecode.apps._base import RepoAppView
25 from rhodecode.lib import audit_logger
25 from rhodecode.lib import audit_logger
26 from rhodecode.lib import helpers as h
26 from rhodecode.lib import helpers as h
27 from rhodecode.lib.auth import (
27 from rhodecode.lib.auth import (
28 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired)
28 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired)
29 from rhodecode.lib.ext_json import json
29 from rhodecode.lib.ext_json import json
30
30
31 log = logging.getLogger(__name__)
31 log = logging.getLogger(__name__)
32
32
33
33
34 class StripView(RepoAppView):
34 class StripView(RepoAppView):
35 def load_default_context(self):
35 def load_default_context(self):
36 c = self._get_local_tmpl_context()
36 c = self._get_local_tmpl_context()
37
37
38 self._register_global_c(c)
38 self._register_global_c(c)
39 return c
39 return c
40
40
41 @LoginRequired()
41 @LoginRequired()
42 @HasRepoPermissionAnyDecorator('repository.admin')
42 @HasRepoPermissionAnyDecorator('repository.admin')
43 @view_config(
43 @view_config(
44 route_name='edit_repo_strip', request_method='GET',
44 route_name='edit_repo_strip', request_method='GET',
45 renderer='rhodecode:templates/admin/repos/repo_edit.mako')
45 renderer='rhodecode:templates/admin/repos/repo_edit.mako')
46 def strip(self):
46 def strip(self):
47 c = self.load_default_context()
47 c = self.load_default_context()
48 c.active = 'strip'
48 c.active = 'strip'
49 c.strip_limit = 10
49 c.strip_limit = 10
50
50
51 return self._get_template_context(c)
51 return self._get_template_context(c)
52
52
53 @LoginRequired()
53 @LoginRequired()
54 @HasRepoPermissionAnyDecorator('repository.admin')
54 @HasRepoPermissionAnyDecorator('repository.admin')
55 @CSRFRequired()
55 @CSRFRequired()
56 @view_config(
56 @view_config(
57 route_name='strip_check', request_method='POST',
57 route_name='strip_check', request_method='POST',
58 renderer='json', xhr=True)
58 renderer='json', xhr=True)
59 def strip_check(self):
59 def strip_check(self):
60 from rhodecode.lib.vcs.backends.base import EmptyCommit
60 from rhodecode.lib.vcs.backends.base import EmptyCommit
61 data = {}
61 data = {}
62 rp = self.request.POST
62 rp = self.request.POST
63 for i in range(1, 11):
63 for i in range(1, 11):
64 chset = 'changeset_id-%d' % (i,)
64 chset = 'changeset_id-%d' % (i,)
65 check = rp.get(chset)
65 check = rp.get(chset)
66
66
67 if check:
67 if check:
68 data[i] = self.db_repo.get_changeset(rp[chset])
68 data[i] = self.db_repo.get_changeset(rp[chset])
69 if isinstance(data[i], EmptyCommit):
69 if isinstance(data[i], EmptyCommit):
70 data[i] = {'rev': None, 'commit': h.escape(rp[chset])}
70 data[i] = {'rev': None, 'commit': h.escape(rp[chset])}
71 else:
71 else:
72 data[i] = {'rev': data[i].raw_id, 'branch': data[i].branch,
72 data[i] = {'rev': data[i].raw_id, 'branch': data[i].branch,
73 'author': data[i].author,
73 'author': h.escape(data[i].author),
74 'comment': data[i].message}
74 'comment': h.escape(data[i].message)}
75 else:
75 else:
76 break
76 break
77 return data
77 return data
78
78
79 @LoginRequired()
79 @LoginRequired()
80 @HasRepoPermissionAnyDecorator('repository.admin')
80 @HasRepoPermissionAnyDecorator('repository.admin')
81 @CSRFRequired()
81 @CSRFRequired()
82 @view_config(
82 @view_config(
83 route_name='strip_execute', request_method='POST',
83 route_name='strip_execute', request_method='POST',
84 renderer='json', xhr=True)
84 renderer='json', xhr=True)
85 def strip_execute(self):
85 def strip_execute(self):
86 from rhodecode.model.scm import ScmModel
86 from rhodecode.model.scm import ScmModel
87
87
88 c = self.load_default_context()
88 c = self.load_default_context()
89 user = self._rhodecode_user
89 user = self._rhodecode_user
90 rp = self.request.POST
90 rp = self.request.POST
91 data = {}
91 data = {}
92 for idx in rp:
92 for idx in rp:
93 commit = json.loads(rp[idx])
93 commit = json.loads(rp[idx])
94 # If someone put two times the same branch
94 # If someone put two times the same branch
95 if commit['branch'] in data.keys():
95 if commit['branch'] in data.keys():
96 continue
96 continue
97 try:
97 try:
98 ScmModel().strip(
98 ScmModel().strip(
99 repo=self.db_repo,
99 repo=self.db_repo,
100 commit_id=commit['rev'], branch=commit['branch'])
100 commit_id=commit['rev'], branch=commit['branch'])
101 log.info('Stripped commit %s from repo `%s` by %s' % (
101 log.info('Stripped commit %s from repo `%s` by %s' % (
102 commit['rev'], self.db_repo_name, user))
102 commit['rev'], self.db_repo_name, user))
103 data[commit['rev']] = True
103 data[commit['rev']] = True
104
104
105 audit_logger.store_web(
105 audit_logger.store_web(
106 'repo.commit.strip', action_data={'commit_id': commit['rev']},
106 'repo.commit.strip', action_data={'commit_id': commit['rev']},
107 repo=self.db_repo, user=self._rhodecode_user, commit=True)
107 repo=self.db_repo, user=self._rhodecode_user, commit=True)
108
108
109 except Exception as e:
109 except Exception as e:
110 data[commit['rev']] = False
110 data[commit['rev']] = False
111 log.debug('Stripped commit %s from repo `%s` failed by %s, exeption %s' % (
111 log.debug('Stripped commit %s from repo `%s` failed by %s, exeption %s' % (
112 commit['rev'], self.db_repo_name, user, e.message))
112 commit['rev'], self.db_repo_name, user, e.message))
113 return data
113 return data
General Comments 0
You need to be logged in to leave comments. Login now