diff options
| author | Zeger-Jan van de Weg <git@zjvandeweg.nl> | 2019-10-18 16:47:50 +0300 |
|---|---|---|
| committer | Zeger-Jan van de Weg <git@zjvandeweg.nl> | 2019-10-18 16:47:50 +0300 |
| commit | 607f5f1ee7b45c21ab7bfe6ead6f86be39efa758 (patch) | |
| tree | ce90cf193f7cb9f3fbdf73b62097c84ae83810d8 | |
| parent | 78de944558414c1ae8f97ed900ce303725fdea90 (diff) | |
Apply the GitDSL in the Ref Service
This change applies the GitDSL to prevent command injection in 3 more
cases.
Closes: https://gitlab.com/gitlab-org/gitaly/issues/1967
Closes: https://gitlab.com/gitlab-org/gitaly/issues/1968
Closes: https://gitlab.com/gitlab-org/gitaly/issues/1972
| -rw-r--r-- | internal/service/ref/branches.go | 6 | ||||
| -rw-r--r-- | internal/service/ref/delete_refs.go | 5 | ||||
| -rw-r--r-- | internal/service/ref/refexists.go | 6 |
3 files changed, 14 insertions, 3 deletions
diff --git a/internal/service/ref/branches.go b/internal/service/ref/branches.go index a9dd8f23b..fd31ddb13 100644 --- a/internal/service/ref/branches.go +++ b/internal/service/ref/branches.go @@ -55,7 +55,11 @@ func (s *server) FindBranch(ctx context.Context, req *gitalypb.FindBranchRequest refName = strings.TrimPrefix(refName, "heads/") } - cmd, err := git.Command(ctx, repo, "for-each-ref", "--format", "%(objectname)", "refs/heads/"+refName) + cmd, err := git.SafeCmd(ctx, repo, nil, git.SubCmd{ + Name: "for-each-ref", + Flags: []git.Option{git.Flag{"--format=%(objectname)"}}, + Args: []string{"refs/heads/" + refName}, + }) if err != nil { return nil, err } diff --git a/internal/service/ref/delete_refs.go b/internal/service/ref/delete_refs.go index 1ed18e9d1..44ff3a17b 100644 --- a/internal/service/ref/delete_refs.go +++ b/internal/service/ref/delete_refs.go @@ -51,7 +51,10 @@ func refsToRemove(ctx context.Context, req *gitalypb.DeleteRefsRequest) ([]strin return refs, nil } - cmd, err := git.Command(ctx, req.GetRepository(), "for-each-ref", "--format=%(refname)") + cmd, err := git.SafeCmd(ctx, req.GetRepository(), nil, git.SubCmd{ + Name: "for-each-ref", + Flags: []git.Option{git.Flag{"--format=%(refname)"}}, + }) if err != nil { return nil, fmt.Errorf("error setting up for-each-ref command: %v", err) } diff --git a/internal/service/ref/refexists.go b/internal/service/ref/refexists.go index 9baf5e5bd..975b3ee06 100644 --- a/internal/service/ref/refexists.go +++ b/internal/service/ref/refexists.go @@ -28,7 +28,11 @@ func (server) RefExists(ctx context.Context, in *gitalypb.RefExistsRequest) (*gi } func refExists(ctx context.Context, repo *gitalypb.Repository, ref string) (bool, error) { - cmd, err := git.Command(ctx, repo, "show-ref", "--verify", "--quiet", ref) + cmd, err := git.SafeCmd(ctx, repo, nil, git.SubCmd{ + Name: "show-ref", + Flags: []git.Option{git.Flag{"--verify"}, git.Flag{"--quiet"}}, + Args: []string{ref}, + }) if err != nil { return false, err } |