debian-mirror-gitlab/lib/gitlab/git/pre_receive_error.rb

# frozen_string_literal: true

module Gitlab
  module Git
    #
    # PreReceiveError is special because its message gets displayed to users
    # in the web UI. Because of this, we:
    # - Only display errors that have been marked as safe with a prefix.
    #   This is to prevent leaking of stacktraces, or other sensitive info.
    # - Sanitize the string of any XSS
    class PreReceiveError < StandardError
      SAFE_MESSAGE_PREFIXES = [
        'GitLab:', # Messages from gitlab-shell
        'GL-HOOK-ERR:' # Messages marked as safe by user
      ].freeze

      SAFE_MESSAGE_REGEX = /^(#{SAFE_MESSAGE_PREFIXES.join('|')})\s*(?<safe_message>.+)/.freeze

      def initialize(message = '')
        super(sanitize(message))
      end

      private

      # In gitaly-ruby we override this method to do nothing, so that
      # sanitization happens in gitlab-rails only.
      def sanitize(message)
        return message if message.blank?

        safe_messages = message.split("\n").map do |msg|
          if (match = msg.match(SAFE_MESSAGE_REGEX))
            match[:safe_message].presence
          end
        end

        safe_messages = safe_messages.compact.join("\n")

        Gitlab::Utils.nlbr(safe_messages)
      end
    end
  end
end
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`# frozen_string_literal: true`

New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`module Gitlab`
			`module Git`
			`#`
			`# PreReceiveError is special because its message gets displayed to users`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`# in the web UI. Because of this, we:`
			`# - Only display errors that have been marked as safe with a prefix.`
			`# This is to prevent leaking of stacktraces, or other sensitive info.`
			`# - Sanitize the string of any XSS`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`class PreReceiveError < StandardError`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`SAFE_MESSAGE_PREFIXES = [`
			`'GitLab:', # Messages from gitlab-shell`
			`'GL-HOOK-ERR:' # Messages marked as safe by user`
			`].freeze`

New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`SAFE_MESSAGE_REGEX = /^(#{SAFE_MESSAGE_PREFIXES.join('\|')})\s*(?<safe_message>.+)/.freeze`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30
			`def initialize(message = '')`
			`super(sanitize(message))`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`end`

			`private`

			`# In gitaly-ruby we override this method to do nothing, so that`
			`# sanitization happens in gitlab-rails only.`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`def sanitize(message)`
			`return message if message.blank?`

			`safe_messages = message.split("\n").map do \|msg\|`
			`if (match = msg.match(SAFE_MESSAGE_REGEX))`
			`match[:safe_message].presence`
			`end`
			`end`

			`safe_messages = safe_messages.compact.join("\n")`

			`Gitlab::Utils.nlbr(safe_messages)`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`end`
			`end`
			`end`
			`end`