From 020078663e401798d199a1a293ac59d990f81dad Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Mon, 18 Feb 2013 09:28:18 +0200
Subject: [PATCH] Prevent xss attack over group name. Added regex validation
 for group and team name

---
 app/helpers/application_helper.rb | 9 +++++++--
 app/helpers/projects_helper.rb    | 2 +-
 app/models/namespace.rb           | 8 ++++++--
 app/models/user_team.rb           | 5 ++++-
 lib/gitlab/regex.rb               | 4 ++++
 5 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 196105f0..d02130c5 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -73,8 +73,8 @@ module ApplicationHelper
 
   def search_autocomplete_source
     projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } }
-    groups = current_user.authorized_groups.map { |group| { label: "group: #{group.name}", url: group_path(group) } }
-    teams = current_user.authorized_teams.map { |team| { label: "team: #{team.name}", url: team_path(team) } }
+    groups = current_user.authorized_groups.map { |group| { label: "group: #{simple_sanitize(group.name)}", url: group_path(group) } }
+    teams = current_user.authorized_teams.map { |team| { label: "team: #{simple_sanitize(team.name)}", url: team_path(team) } }
 
     default_nav = [
       { label: "My Profile", url: profile_path },
@@ -159,8 +159,13 @@ module ApplicationHelper
               alt: "Sign in with #{provider.to_s.titleize}")
   end
 
+  def simple_sanitize str
+    sanitize(str, tags: %w(a span))
+  end
+
   def image_url(source)
     root_url + path_to_image(source)
   end
+
   alias_method :url_to_image, :image_url
 end
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 05303e86..8225014a 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -56,7 +56,7 @@ module ProjectsHelper
   def project_title project
     if project.group
       content_tag :span do
-        link_to(project.group.name, group_path(project.group)) + " / " + project.name
+        link_to(simple_sanitize(project.group.name), group_path(project.group)) + " / " + project.name
       end
     else
       project.name
diff --git a/app/models/namespace.rb b/app/models/namespace.rb
index 4e157839..385fa291 100644
--- a/app/models/namespace.rb
+++ b/app/models/namespace.rb
@@ -17,11 +17,15 @@ class Namespace < ActiveRecord::Base
   has_many :projects, dependent: :destroy
   belongs_to :owner, class_name: "User"
 
-  validates :name, presence: true, uniqueness: true
+  validates :owner, presence: true
+  validates :name, presence: true, uniqueness: true,
+            length: { within: 0..255 },
+            format: { with: Gitlab::Regex.name_regex,
+                      message: "only letters, digits, spaces & '_' '-' '.' allowed." }
+
   validates :path, uniqueness: true, presence: true, length: { within: 1..255 },
             format: { with: Gitlab::Regex.path_regex,
                       message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" }
-  validates :owner, presence: true
 
   delegate :name, to: :owner, allow_nil: true, prefix: true
 
diff --git a/app/models/user_team.rb b/app/models/user_team.rb
index dc8cf9ee..2f3091c2 100644
--- a/app/models/user_team.rb
+++ b/app/models/user_team.rb
@@ -21,8 +21,11 @@ class UserTeam < ActiveRecord::Base
   has_many :projects, through: :user_team_project_relationships
   has_many :members,  through: :user_team_user_relationships, source: :user
 
-  validates :name, presence: true, uniqueness: true
   validates :owner, presence: true
+  validates :name, presence: true, uniqueness: true,
+            length: { within: 0..255 },
+            format: { with: Gitlab::Regex.name_regex,
+                      message: "only letters, digits, spaces & '_' '-' '.' allowed." }
   validates :path, uniqueness: true, presence: true, length: { within: 1..255 },
             format: { with: Gitlab::Regex.path_regex,
                       message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" }
diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb
index 48304220..5eeb7c80 100644
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -10,6 +10,10 @@ module Gitlab
       /\A[a-zA-Z][a-zA-Z0-9_\-\. ]*\z/
     end
 
+    def name_regex
+      /\A[a-zA-Z0-9_\-\. ]*\z/
+    end
+
     def path_regex
       default_regex
     end