diff options
author | Mark Chao <mchao@gitlab.com> | 2019-04-10 06:39:45 +0300 |
---|---|---|
committer | Mark Chao <mchao@gitlab.com> | 2019-05-02 22:02:58 +0300 |
commit | d8bddb16624f34600069bb5d3540960b25176381 (patch) | |
tree | 6e38172e12eb8d5a5c1645b30cccdda9f7f08809 /lib/gitlab/git_ref_validator.rb | |
parent | 74ac04a6aa7a9398ed908f47080e64ec40e0dee8 (diff) |
Validate MR branch names
Prevents refspec as branch name, which would bypass branch protection
when used in conjunction with rebase.
HEAD seems to be a special case with lots of occurrence,
so it is considered valid for now.
Another special case is `refs/head/*`, which can be imported.
Diffstat (limited to 'lib/gitlab/git_ref_validator.rb')
-rw-r--r-- | lib/gitlab/git_ref_validator.rb | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/lib/gitlab/git_ref_validator.rb b/lib/gitlab/git_ref_validator.rb index 3f13ebeb9d0..dfff6823689 100644 --- a/lib/gitlab/git_ref_validator.rb +++ b/lib/gitlab/git_ref_validator.rb @@ -5,12 +5,15 @@ module Gitlab module GitRefValidator extend self + + EXPANDED_PREFIXES = %w[refs/heads/ refs/remotes/].freeze + DISALLOWED_PREFIXES = %w[-].freeze + # Validates a given name against the git reference specification # # Returns true for a valid reference name, false otherwise def validate(ref_name) - not_allowed_prefixes = %w(refs/heads/ refs/remotes/ -) - return false if ref_name.start_with?(*not_allowed_prefixes) + return false if ref_name.start_with?(*(EXPANDED_PREFIXES + DISALLOWED_PREFIXES)) return false if ref_name == 'HEAD' begin @@ -19,5 +22,21 @@ module Gitlab return false end end + + def validate_merge_request_branch(ref_name) + return false if ref_name.start_with?(*DISALLOWED_PREFIXES) + + expanded_name = if ref_name.start_with?(*EXPANDED_PREFIXES) + ref_name + else + "refs/heads/#{ref_name}" + end + + begin + Rugged::Reference.valid_name?(expanded_name) + rescue ArgumentError + return false + end + end end end |