Prevent xss attack over group name. Added regex validation for group and team name

2013-02-18 09:28:18 +02:00 · 2013-02-18 09:28:18 +02:00 · 020078663e
commit 020078663e
parent cfdf94fc27
5 changed files with 22 additions and 6 deletions
--- a/app/models/namespace.rb
+++ b/app/models/namespace.rb
@ -17,11 +17,15 @@ class Namespace < ActiveRecord::Base
  has_many :projects, dependent: :destroy
  belongs_to :owner, class_name: "User"

-  validates :name, presence: true, uniqueness: true
+  validates :owner, presence: true
+  validates :name, presence: true, uniqueness: true,
+            length: { within: 0..255 },
+            format: { with: Gitlab::Regex.name_regex,
+                      message: "only letters, digits, spaces & '_' '-' '.' allowed." }
+
  validates :path, uniqueness: true, presence: true, length: { within: 1..255 },
            format: { with: Gitlab::Regex.path_regex,
                      message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" }
-  validates :owner, presence: true

  delegate :name, to: :owner, allow_nil: true, prefix: true

--- a/app/models/user_team.rb
+++ b/app/models/user_team.rb
@ -21,8 +21,11 @@ class UserTeam < ActiveRecord::Base
  has_many :projects, through: :user_team_project_relationships
  has_many :members,  through: :user_team_user_relationships, source: :user

-  validates :name, presence: true, uniqueness: true
  validates :owner, presence: true
+  validates :name, presence: true, uniqueness: true,
+            length: { within: 0..255 },
+            format: { with: Gitlab::Regex.name_regex,
+                      message: "only letters, digits, spaces & '_' '-' '.' allowed." }
  validates :path, uniqueness: true, presence: true, length: { within: 1..255 },
            format: { with: Gitlab::Regex.path_regex,
                      message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" }