##// END OF EJS Templates
api: security, fix problem when absolute paths are specified with API call, that would allow...
marcink -
r2663:0777b16f default
parent child Browse files
Show More
@@ -99,6 +99,8 b' class TestApiUpdateRepo(object):'
99
99
100 id_, params = build_data(
100 id_, params = build_data(
101 self.apikey, 'update_repo', repoid=repo_name, **updates)
101 self.apikey, 'update_repo', repoid=repo_name, **updates)
102
103 with mock.patch('rhodecode.model.validation_schema.validators.url_validator'):
102 response = api_call(self.app, params)
104 response = api_call(self.app, params)
103
105
104 if updates.get('repo_name'):
106 if updates.get('repo_name'):
@@ -659,6 +659,7 b' def create_repo('
659
659
660 schema = repo_schema.RepoSchema().bind(
660 schema = repo_schema.RepoSchema().bind(
661 repo_type_options=rhodecode.BACKENDS.keys(),
661 repo_type_options=rhodecode.BACKENDS.keys(),
662 repo_type=repo_type,
662 # user caller
663 # user caller
663 user=apiuser)
664 user=apiuser)
664
665
@@ -902,16 +903,18 b' def update_repo('
902 request.translate, repo=repo)
903 request.translate, repo=repo)
903
904
904 old_values = repo.get_api_data()
905 old_values = repo.get_api_data()
906 repo_type = repo.repo_type
905 schema = repo_schema.RepoSchema().bind(
907 schema = repo_schema.RepoSchema().bind(
906 repo_type_options=rhodecode.BACKENDS.keys(),
908 repo_type_options=rhodecode.BACKENDS.keys(),
907 repo_ref_options=ref_choices,
909 repo_ref_options=ref_choices,
910 repo_type=repo_type,
908 # user caller
911 # user caller
909 user=apiuser,
912 user=apiuser,
910 old_values=old_values)
913 old_values=old_values)
911 try:
914 try:
912 schema_data = schema.deserialize(dict(
915 schema_data = schema.deserialize(dict(
913 # we save old value, users cannot change type
916 # we save old value, users cannot change type
914 repo_type=repo.repo_type,
917 repo_type=repo_type,
915
918
916 repo_name=updates['repo_name'],
919 repo_name=updates['repo_name'],
917 repo_owner=updates['user'],
920 repo_owner=updates['user'],
@@ -1062,6 +1065,7 b' def fork_repo(request, apiuser, repoid, '
1062
1065
1063 schema = repo_schema.RepoSchema().bind(
1066 schema = repo_schema.RepoSchema().bind(
1064 repo_type_options=rhodecode.BACKENDS.keys(),
1067 repo_type_options=rhodecode.BACKENDS.keys(),
1068 repo_type=repo.repo_type,
1065 # user caller
1069 # user caller
1066 user=apiuser)
1070 user=apiuser)
1067
1071
@@ -319,13 +319,13 b' class RepoSchema(colander.MappingSchema)'
319
319
320 repo_clone_uri = colander.SchemaNode(
320 repo_clone_uri = colander.SchemaNode(
321 colander.String(),
321 colander.String(),
322 validator=colander.All(colander.Length(min=1)),
322 validator=deferred_sync_uri_validator,
323 preparers=[preparers.strip_preparer],
323 preparers=[preparers.strip_preparer],
324 missing='')
324 missing='')
325
325
326 repo_push_uri = colander.SchemaNode(
326 repo_push_uri = colander.SchemaNode(
327 colander.String(),
327 colander.String(),
328 validator=colander.All(colander.Length(min=1)),
328 validator=deferred_sync_uri_validator,
329 preparers=[preparers.strip_preparer],
329 preparers=[preparers.strip_preparer],
330 missing='')
330 missing='')
331
331
@@ -117,6 +117,11 b' def url_validator(url, repo_type, config'
117 % (url, ','.join(allowed_prefixes)))
117 % (url, ','.join(allowed_prefixes)))
118 exc.allowed_prefixes = allowed_prefixes
118 exc.allowed_prefixes = allowed_prefixes
119 raise exc
119 raise exc
120 elif repo_type == 'svn':
121 # no validation for SVN yet
122 return
123
124 raise InvalidCloneUrl('No repo type specified')
120
125
121
126
122 class CloneUriValidator(object):
127 class CloneUriValidator(object):
@@ -124,16 +129,14 b' class CloneUriValidator(object):'
124 self.repo_type = repo_type
129 self.repo_type = repo_type
125
130
126 def __call__(self, node, value):
131 def __call__(self, node, value):
132
127 from rhodecode.lib.utils import make_db_config
133 from rhodecode.lib.utils import make_db_config
128 try:
134 try:
129 config = make_db_config(clear_session=False)
135 config = make_db_config(clear_session=False)
130 url_validator(value, self.repo_type, config)
136 url_validator(value, self.repo_type, config)
131 except InvalidCloneUrl as e:
137 except InvalidCloneUrl as e:
132 log.warning(e)
138 log.warning(e)
133 msg = _(u'Invalid clone url, provide a valid clone '
139 raise colander.Invalid(node, e.message)
134 u'url starting with one of {allowed_prefixes}').format(
135 allowed_prefixes=e.allowed_prefixes)
136 raise colander.Invalid(node, msg)
137 except Exception:
140 except Exception:
138 log.exception('Url validation failed')
141 log.exception('Url validation failed')
139 msg = _(u'invalid clone url for {repo_type} repository').format(
142 msg = _(u'invalid clone url for {repo_type} repository').format(
@@ -53,6 +53,7 b' class TestRepoSchema(object):'
53 def test_deserialize(self, app, user_admin):
53 def test_deserialize(self, app, user_admin):
54 schema = repo_schema.RepoSchema().bind(
54 schema = repo_schema.RepoSchema().bind(
55 repo_type_options=['hg'],
55 repo_type_options=['hg'],
56 repo_type='hg',
56 user=user_admin
57 user=user_admin
57 )
58 )
58
59
@@ -78,6 +79,7 b' class TestRepoSchema(object):'
78
79
79 schema = repo_schema.RepoSchema().bind(
80 schema = repo_schema.RepoSchema().bind(
80 repo_type_options=['hg'],
81 repo_type_options=['hg'],
82 repo_type='hg',
81 user=user_admin
83 user=user_admin
82 )
84 )
83
85
@@ -93,6 +95,7 b' class TestRepoSchema(object):'
93 def test_deserialize_with_group_name(self, app, user_admin, test_repo_group):
95 def test_deserialize_with_group_name(self, app, user_admin, test_repo_group):
94 schema = repo_schema.RepoSchema().bind(
96 schema = repo_schema.RepoSchema().bind(
95 repo_type_options=['hg'],
97 repo_type_options=['hg'],
98 repo_type='hg',
96 user=user_admin
99 user=user_admin
97 )
100 )
98
101
@@ -114,6 +117,7 b' class TestRepoSchema(object):'
114 self, app, user_regular, test_repo_group):
117 self, app, user_regular, test_repo_group):
115 schema = repo_schema.RepoSchema().bind(
118 schema = repo_schema.RepoSchema().bind(
116 repo_type_options=['hg'],
119 repo_type_options=['hg'],
120 repo_type='hg',
117 user=user_regular
121 user=user_regular
118 )
122 )
119
123
General Comments 0
You need to be logged in to leave comments. Login now