From f40b5860d76a8ea5d964260834a6e83516b0f1fd Mon Sep 17 00:00:00 2001
From: Reuben Pereira <rpereira@gitlab.com>
Date: Mon, 7 Jan 2019 17:55:21 +0000
Subject: Add table and model for error tracking settings

---
 lib/gitlab/import_export/import_export.yml   |  4 ++++
 lib/gitlab/import_export/relation_factory.rb |  1 +
 lib/gitlab/url_blocker.rb                    | 18 ++++++++++++++++--
 3 files changed, 21 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/gitlab/import_export/import_export.yml b/lib/gitlab/import_export/import_export.yml
index a1a374cef4a..7987533978c 100644
--- a/lib/gitlab/import_export/import_export.yml
+++ b/lib/gitlab/import_export/import_export.yml
@@ -74,6 +74,7 @@ project_tree:
   - :prometheus_metrics
   - :project_badges
   - :ci_cd_settings
+  - :error_tracking_setting
 
 # Only include the following attributes for the models specified.
 included_attributes:
@@ -162,6 +163,9 @@ excluded_attributes:
     - :token_encrypted
   services:
     - :template
+  error_tracking_setting:
+    - :encrypted_token
+    - :encrypted_token_iv
 
 methods:
   labels:
diff --git a/lib/gitlab/import_export/relation_factory.rb b/lib/gitlab/import_export/relation_factory.rb
index bce12103cce..099b488f68e 100644
--- a/lib/gitlab/import_export/relation_factory.rb
+++ b/lib/gitlab/import_export/relation_factory.rb
@@ -24,6 +24,7 @@ module Gitlab
                     project_badges: 'Badge',
                     metrics: 'MergeRequest::Metrics',
                     ci_cd_settings: 'ProjectCiCdSetting',
+                    error_tracking_setting: 'ErrorTracking::ProjectErrorTrackingSetting',
                     links: 'Releases::Link' }.freeze
 
       USER_REFERENCES = %w[author_id assignee_id updated_by_id merged_by_id latest_closed_by_id user_id created_by_id last_edited_by_id merge_user_id resolved_by_id closed_by_id].freeze
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb
index 44c71f8431d..9b7b0db9525 100644
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -8,16 +8,18 @@ module Gitlab
     BlockedUrlError = Class.new(StandardError)
 
     class << self
-      def validate!(url, ports: [], protocols: [], allow_localhost: false, allow_local_network: true, ascii_only: false, enforce_user: false)
+      def validate!(url, ports: [], protocols: [], allow_localhost: false, allow_local_network: true, ascii_only: false, enforce_user: false, enforce_sanitization: false)
         return true if url.nil?
 
         # Param url can be a string, URI or Addressable::URI
         uri = parse_url(url)
 
+        validate_html_tags!(uri) if enforce_sanitization
+
         # Allow imports from the GitLab instance itself but only from the configured ports
         return true if internal?(uri)
 
-        port = uri.port || uri.default_port
+        port = get_port(uri)
         validate_protocol!(uri.scheme, protocols)
         validate_port!(port, ports) if ports.any?
         validate_user!(uri.user) if enforce_user
@@ -50,6 +52,18 @@ module Gitlab
 
       private
 
+      def get_port(uri)
+        uri.port || uri.default_port
+      end
+
+      def validate_html_tags!(uri)
+        uri_str = uri.to_s
+        sanitized_uri = ActionController::Base.helpers.sanitize(uri_str, tags: [])
+        if sanitized_uri != uri_str
+          raise BlockedUrlError, 'HTML/CSS/JS tags are not allowed'
+        end
+      end
+
       def parse_url(url)
         raise Addressable::URI::InvalidURIError if multiline?(url)
 
-- 
cgit v1.2.3