##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
security: use safe escaped version of description for repo and repo group to potentially...
ergo -
r1830:d786fdd7 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1026,6 +1026,11 b' class UserApiKeys(Base, BaseModel):'
1026 data['auth_token'] = self.token_obfuscated
1026 data['auth_token'] = self.token_obfuscated
1027 return data
1027 return data
1028
1028
1029 @hybrid_property
1030 def description_safe(self):
1031 from rhodecode.lib import helpers as h
1032 return h.escape(self.description)
1033
1029 @property
1034 @property
1030 def expired(self):
1035 def expired(self):
1031 if self.expires == -1:
1036 if self.expires == -1:
@@ -1111,6 +1116,11 b' class UserIpMap(Base, BaseModel):'
1111 description = Column("description", String(10000), nullable=True, unique=None, default=None)
1116 description = Column("description", String(10000), nullable=True, unique=None, default=None)
1112 user = relationship('User', lazy='joined')
1117 user = relationship('User', lazy='joined')
1113
1118
1119 @hybrid_property
1120 def description_safe(self):
1121 from rhodecode.lib import helpers as h
1122 return h.escape(self.description)
1123
1114 @classmethod
1124 @classmethod
1115 def _get_ip_range(cls, ip_addr):
1125 def _get_ip_range(cls, ip_addr):
1116 net = ipaddress.ip_network(ip_addr, strict=False)
1126 net = ipaddress.ip_network(ip_addr, strict=False)
@@ -1199,6 +1209,11 b' class UserGroup(Base, BaseModel):'
1199 user = relationship('User')
1209 user = relationship('User')
1200
1210
1201 @hybrid_property
1211 @hybrid_property
1212 def description_safe(self):
1213 from rhodecode.lib import helpers as h
1214 return h.escape(self.description)
1215
1216 @hybrid_property
1202 def group_data(self):
1217 def group_data(self):
1203 if not self._group_data:
1218 if not self._group_data:
1204 return {}
1219 return {}
@@ -1496,6 +1511,11 b' class Repository(Base, BaseModel):'
1496 safe_unicode(self.repo_name))
1511 safe_unicode(self.repo_name))
1497
1512
1498 @hybrid_property
1513 @hybrid_property
1514 def description_safe(self):
1515 from rhodecode.lib import helpers as h
1516 return h.escape(self.description)
1517
1518 @hybrid_property
1499 def landing_rev(self):
1519 def landing_rev(self):
1500 # always should return [rev_type, rev]
1520 # always should return [rev_type, rev]
1501 if self._landing_revision:
1521 if self._landing_revision:
@@ -1805,7 +1825,7 b' class Repository(Base, BaseModel):'
1805 'url': RepoModel().get_url(self),
1825 'url': RepoModel().get_url(self),
1806 'private': repo.private,
1826 'private': repo.private,
1807 'created_on': repo.created_on,
1827 'created_on': repo.created_on,
1808 'description': repo.description,
1828 'description': repo.description_safe,
1809 'landing_rev': repo.landing_rev,
1829 'landing_rev': repo.landing_rev,
1810 'owner': repo.user.username,
1830 'owner': repo.user.username,
1811 'fork_of': repo.fork.repo_name if repo.fork else None,
1831 'fork_of': repo.fork.repo_name if repo.fork else None,
@@ -2204,8 +2224,13 b' class RepoGroup(Base, BaseModel):'
2204 self.parent_group = parent_group
2224 self.parent_group = parent_group
2205
2225
2206 def __unicode__(self):
2226 def __unicode__(self):
2207 return u"<%s('id:%s:%s')>" % (self.__class__.__name__, self.group_id,
2227 return u"<%s('id:%s:%s')>" % (
2208 self.group_name)
2228 self.__class__.__name__, self.group_id, self.group_name)
2229
2230 @hybrid_property
2231 def description_safe(self):
2232 from rhodecode.lib import helpers as h
2233 return h.escape(self.group_description)
2209
2234
2210 @classmethod
2235 @classmethod
2211 def _generate_choice(cls, repo_group):
2236 def _generate_choice(cls, repo_group):
@@ -2436,7 +2461,7 b' class RepoGroup(Base, BaseModel):'
2436 data = {
2461 data = {
2437 'group_id': group.group_id,
2462 'group_id': group.group_id,
2438 'group_name': group.group_name,
2463 'group_name': group.group_name,
2439 'group_description': group.group_description,
2464 'group_description': group.description_safe,
2440 'parent_group': group.parent_group.group_name if group.parent_group else None,
2465 'parent_group': group.parent_group.group_name if group.parent_group else None,
2441 'repositories': [x.repo_name for x in group.repositories],
2466 'repositories': [x.repo_name for x in group.repositories],
2442 'owner': group.user.username,
2467 'owner': group.user.username,
@@ -3303,6 +3328,11 b' class _PullRequestBase(BaseModel):'
3303 return json.dumps(self.reviewer_data)
3328 return json.dumps(self.reviewer_data)
3304
3329
3305 @hybrid_property
3330 @hybrid_property
3331 def description_safe(self):
3332 from rhodecode.lib import helpers as h
3333 return h.escape(self.description)
3334
3335 @hybrid_property
3306 def revisions(self):
3336 def revisions(self):
3307 return self._revisions.split(':') if self._revisions else []
3337 return self._revisions.split(':') if self._revisions else []
3308
3338
@@ -3739,6 +3769,11 b' class Gist(Base, BaseModel):'
3739 def __repr__(self):
3769 def __repr__(self):
3740 return '<Gist:[%s]%s>' % (self.gist_type, self.gist_access_id)
3770 return '<Gist:[%s]%s>' % (self.gist_type, self.gist_access_id)
3741
3771
3772 @hybrid_property
3773 def description_safe(self):
3774 from rhodecode.lib import helpers as h
3775 return h.escape(self.gist_description)
3776
3742 @classmethod
3777 @classmethod
3743 def get_or_404(cls, id_, pyramid_exc=False):
3778 def get_or_404(cls, id_, pyramid_exc=False):
3744
3779
Show file before | Show file after | Hide comments
@@ -1295,7 +1295,7 b' class PullRequestModel(BaseModel):'
1295 'lastname': repo.user.last_name,
1295 'lastname': repo.user.last_name,
1296 'gravatar_link': h.gravatar_url(repo.user.email, 14),
1296 'gravatar_link': h.gravatar_url(repo.user.email, 14),
1297 },
1297 },
1298 'description': h.chop_at_smart(repo.description, '\n'),
1298 'description': h.chop_at_smart(repo.description_safe, '\n'),
1299 'refs': {
1299 'refs': {
1300 'all_refs': all_refs,
1300 'all_refs': all_refs,
1301 'selected_ref': selected_ref,
1301 'selected_ref': selected_ref,
Show file before | Show file after | Hide comments
@@ -257,7 +257,7 b' class RepoModel(BaseModel):'
257 "last_changeset": last_rev(repo.repo_name, cs_cache),
257 "last_changeset": last_rev(repo.repo_name, cs_cache),
258 "last_changeset_raw": cs_cache.get('revision'),
258 "last_changeset_raw": cs_cache.get('revision'),
259
259
260 "desc": desc(repo.description),
260 "desc": desc(repo.description_safe),
261 "owner": user_profile(repo.user.username),
261 "owner": user_profile(repo.user.username),
262
262
263 "state": state(repo.repo_state),
263 "state": state(repo.repo_state),
Show file before | Show file after | Hide comments
@@ -711,7 +711,7 b' class RepoGroupModel(BaseModel):'
711 "menu": quick_menu(group.group_name),
711 "menu": quick_menu(group.group_name),
712 "name": repo_group_lnk(group.group_name),
712 "name": repo_group_lnk(group.group_name),
713 "name_raw": group.group_name,
713 "name_raw": group.group_name,
714 "desc": desc(group.group_description, group.personal),
714 "desc": desc(group.description_safe, group.personal),
715 "top_level_repos": 0,
715 "top_level_repos": 0,
716 "owner": user_profile(group.user.username)
716 "owner": user_profile(group.user.username)
717 }
717 }
General Comments 0
You need to be logged in to leave comments. Login now