diff options
author | Francisco Javier López <fjlopez@gitlab.com> | 2019-02-27 17:20:24 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 17:20:24 +0300 |
commit | 67aaedd40eac64124e3dadd89c36ba2a76bdbce9 (patch) | |
tree | f79de28c4e04779cb9360d6f763b929e02cc1b5b /app | |
parent | 476b07b12a2b6f47878fcf06479e77f4e1850d03 (diff) |
Arbitrary file read via MergeRequestDiff
Diffstat (limited to 'app')
-rw-r--r-- | app/models/merge_request.rb | 2 | ||||
-rw-r--r-- | app/models/merge_request_diff.rb | 2 | ||||
-rw-r--r-- | app/validators/sha_validator.rb | 9 |
3 files changed, 12 insertions, 1 deletions
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb index 237b01636fb..2e2a3b7384f 100644 --- a/app/models/merge_request.rb +++ b/app/models/merge_request.rb @@ -69,7 +69,7 @@ class MergeRequest < ActiveRecord::Base serialize :merge_params, Hash # rubocop:disable Cop/ActiveRecordSerialize - after_create :ensure_merge_request_diff, unless: :importing? + after_create :ensure_merge_request_diff after_update :clear_memoized_shas after_update :reload_diff_if_branch_changed after_save :ensure_metrics diff --git a/app/models/merge_request_diff.rb b/app/models/merge_request_diff.rb index a3029a54604..7bd904fe176 100644 --- a/app/models/merge_request_diff.rb +++ b/app/models/merge_request_diff.rb @@ -20,6 +20,8 @@ class MergeRequestDiff < ActiveRecord::Base has_many :merge_request_diff_files, -> { order(:merge_request_diff_id, :relative_order) } has_many :merge_request_diff_commits, -> { order(:merge_request_diff_id, :relative_order) } + validates :base_commit_sha, :head_commit_sha, :start_commit_sha, sha: true + state_machine :state, initial: :empty do event :clean do transition any => :without_files diff --git a/app/validators/sha_validator.rb b/app/validators/sha_validator.rb new file mode 100644 index 00000000000..085fca4d65d --- /dev/null +++ b/app/validators/sha_validator.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +class ShaValidator < ActiveModel::EachValidator + def validate_each(record, attribute, value) + return if value.blank? || value.match(/\A\h{40}\z/) + + record.errors.add(attribute, 'is not a valid SHA') + end +end |