Reject invalid branch names in repository compare controller

Closes #51003
author: Stan Hu <stanhu@gmail.com> 2018-10-08 09:16:45 +0300
committer: Stan Hu <stanhu@gmail.com> 2018-10-08 23:32:31 +0300
commit: 22d7c1379fea684dc09e9347e134741fb6b5b2c6 (patch)
tree: f9f818bc18c9612f38410353ff018230df8f28db /app
parent: c3389c8006443e2b4d994eb15e60bd249fc4732f (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/app/controllers/projects/compare_controller.rb b/app/controllers/projects/compare_controller.rb
index c2df7b34f90..2917925947f 100644
--- a/app/controllers/projects/compare_controller.rb
+++ b/app/controllers/projects/compare_controller.rb
@@ -16,6 +16,8 @@ class Projects::CompareController < Projects::ApplicationController
   before_action :define_diff_notes_disabled, only: [:show, :diff_for_path]
   before_action :define_commits, only: [:show, :diff_for_path, :signatures]
   before_action :merge_request, only: [:index, :show]
+  # Validation
+  before_action :validate_refs!
 
   def index
   end
@@ -63,6 +65,21 @@ class Projects::CompareController < Projects::ApplicationController
 
   private
 
+  def valid_ref?(ref_name)
+    return true unless ref_name.present?
+
+    Gitlab::GitRefValidator.validate(ref_name)
+  end
+
+  def validate_refs!
+    valid = [head_ref, start_ref].map { |ref| valid_ref?(ref) }
+
+    return if valid.all?
+
+    flash[:alert] = "Invalid branch name"
+    redirect_to project_compare_index_path(@project)
+  end
+
   def compare
     return @compare if defined?(@compare)
author	Stan Hu <stanhu@gmail.com>	2018-10-08 09:16:45 +0300
committer	Stan Hu <stanhu@gmail.com>	2018-10-08 23:32:31 +0300
commit	22d7c1379fea684dc09e9347e134741fb6b5b2c6 (patch)
tree	f9f818bc18c9612f38410353ff018230df8f28db /app
parent	c3389c8006443e2b4d994eb15e60bd249fc4732f (diff)