Project

General

Profile

Download (3.28 KB)

Patch #43966 » 0001-tighten-SVN-repository-URL-validation.patch

Jens Krämer, 2026-04-17 06:57

View differences:

app/models/repository/subversion.rb
21 21 

  		




  22
  22
  
    
class Repository::Subversion < Repository

  		




  23
  23
  
    
  validates_presence_of :url

  		




  24
  
  
    
  validates_format_of :url, :with => %r{\A(http|https|svn(\+[^\s:\/\\]+)?|file):\/\/.+}i

  		




  
  24
  
    
  validates_format_of :url, :with => %r{\A(http|https|svn(\+[^\s:\/\\]+)?|file):\/\/.+\z}i

  		




  25
  25
  
    

  		




  26
  26
  
    
  def self.scm_adapter_class

  		




  27
  27
  
    
    Redmine::Scm::Adapters::SubversionAdapter

  		












  

    
      test/functional/repositories_controller_test.rb
    
  





  120
  120
  
    
    end

  		




  121
  121
  
    
  end

  		




  122
  122
  
    

  		




  
  123
  
    
  def test_create_should_reject_subversion_url_with_newline_injection

  		




  
  124
  
    
    @request.session[:user_id] = 1

  		




  
  125
  
    
    [

  		




  
  126
  
    
      "file:///test\nfoo",

  		




  
  127
  
    
      "svn+ssh://example.com/repo\r\nbar"

  		




  
  128
  
    
    ].each do |injected_url|

  		




  
  129
  
    
      assert_no_difference 'Repository.count', "expected #{injected_url.inspect} to be rejected" do

  		




  
  130
  
    
        post(

  		




  
  131
  
    
          :create,

  		




  
  132
  
    
          :params => {

  		




  
  133
  
    
            :project_id => 'subproject1',

  		




  
  134
  
    
            :repository_scm => 'Subversion',

  		




  
  135
  
    
            :repository => {

  		




  
  136
  
    
              :url => injected_url,

  		




  
  137
  
    
              :is_default => '1',

  		




  
  138
  
    
              :identifier => ''

  		




  
  139
  
    
            }

  		




  
  140
  
    
          }

  		




  
  141
  
    
        )

  		




  
  142
  
    
      end

  		




  
  143
  
    
      assert_response :success

  		




  
  144
  
    
      assert_select_error /URL is invalid/

  		




  
  145
  
    
    end

  		




  
  146
  
    
  end

  		




  
  147
  
    

  		




  123
  148
  
    
  def test_edit

  		




  124
  149
  
    
    @request.session[:user_id] = 1

  		




  125
  150
  
    
    get(:edit, :params => {:id => 11})

  		












  

    
      test/unit/repository_subversion_test.rb
    
  





  35
  35
  
    

  		




  36
  36
  
    
  def test_invalid_url

  		




  37
  37
  
    
    set_language_if_valid 'en'

  		




  38
  
  
    
    ['invalid', 'http://', 'svn://', 'svn+ssh://', 'file://'].each do |url|

  		




  
  38
  
    
    invalid_urls = [

  		




  
  39
  
    
      'invalid', 'http://', 'svn://', 'svn+ssh://', 'file://',

  		




  
  40
  
    
      "http://valid\nfoo",

  		




  
  41
  
    
      "svn://valid\r\nbar"

  		




  
  42
  
    
    ]

  		




  
  43
  
    
    invalid_urls.each do |url|

  		




  39
  44
  
    
      repo =

  		




  40
  45
  
    
        Repository::Subversion.new(

  		




  41
  46
  
    
          :project      => @project,

  		




  42
  47
  
    
          :identifier   => 'test',

  		




  43
  48
  
    
          :url => url

  		




  44
  49
  
    
        )

  		




  45
  
  
    
      assert !repo.save

  		




  
  50
  
    
      assert !repo.save, "expected #{url.inspect} to be rejected"

  		




  46
  51
  
    
      assert_equal ["is invalid"], repo.errors[:url]

  		




  47
  52
  
    
    end

  		




  48
  53
  
    
  end

  		















  
    (1-1/1)