From 67aaedd40eac64124e3dadd89c36ba2a76bdbce9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Francisco=20Javier=20L=C3=B3pez?= Date: Wed, 27 Feb 2019 14:20:24 +0000 Subject: Arbitrary file read via MergeRequestDiff --- app/models/merge_request.rb | 2 +- app/models/merge_request_diff.rb | 2 ++ app/validators/sha_validator.rb | 9 +++++++++ 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 app/validators/sha_validator.rb (limited to 'app') diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb index 237b01636fb..2e2a3b7384f 100644 --- a/app/models/merge_request.rb +++ b/app/models/merge_request.rb @@ -69,7 +69,7 @@ class MergeRequest < ActiveRecord::Base serialize :merge_params, Hash # rubocop:disable Cop/ActiveRecordSerialize - after_create :ensure_merge_request_diff, unless: :importing? + after_create :ensure_merge_request_diff after_update :clear_memoized_shas after_update :reload_diff_if_branch_changed after_save :ensure_metrics diff --git a/app/models/merge_request_diff.rb b/app/models/merge_request_diff.rb index a3029a54604..7bd904fe176 100644 --- a/app/models/merge_request_diff.rb +++ b/app/models/merge_request_diff.rb @@ -20,6 +20,8 @@ class MergeRequestDiff < ActiveRecord::Base has_many :merge_request_diff_files, -> { order(:merge_request_diff_id, :relative_order) } has_many :merge_request_diff_commits, -> { order(:merge_request_diff_id, :relative_order) } + validates :base_commit_sha, :head_commit_sha, :start_commit_sha, sha: true + state_machine :state, initial: :empty do event :clean do transition any => :without_files diff --git a/app/validators/sha_validator.rb b/app/validators/sha_validator.rb new file mode 100644 index 00000000000..085fca4d65d --- /dev/null +++ b/app/validators/sha_validator.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +class ShaValidator < ActiveModel::EachValidator + def validate_each(record, attribute, value) + return if value.blank? || value.match(/\A\h{40}\z/) + + record.errors.add(attribute, 'is not a valid SHA') + end +end -- cgit v1.2.3