Merge branch 'master' of gitorious.org:gitorious/mainline

victori · Jan 30, 2012 · 8625198 · 8625198
2 parents 70e9afa + cc2895e
commit 8625198
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 2 deletions.
diff --git a/lib/gitorious.rb b/lib/gitorious.rb
@@ -16,5 +16,5 @@
 #   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #++
 module Gitorious
-  VERSION = "2.1.0"
+  VERSION = "2.1.1"
 end
diff --git a/lib/gitorious/git_shell.rb b/lib/gitorious/git_shell.rb
@@ -14,6 +14,9 @@
 #
 #   You should have received a copy of the GNU Affero General Public License
 #   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#   Thanks for valuable input from joernchen of Phenoelit 
+#
 #++
 require "timeout"
 module Gitorious
@@ -34,10 +37,14 @@ def graph_log(git_dir, *options)
       pretty_format = %Q{format:"#{log_format}"}
 
       command = "#{GitoriousConfig['git_binary']} --git-dir=#{git_dir} log --graph --pretty=#{pretty_format} "
-      command << options.join(" ")
+      command << sanitize(options.join(" "))
       execute(command)
     end
 
+    def sanitize(input)
+      input.gsub(/[^a-zA-Z0-9\/\s=\-]/,"")
+    end
+
     class GitTimeout < ::Timeout::Error
     end
   end

diff --git a/test/unit/lib/gitorious/git_shell_test.rb b/test/unit/lib/gitorious/git_shell_test.rb
@@ -0,0 +1,37 @@
+# encoding: utf-8
+#--
+#   Copyright (C) 2012 Gitorious AS
+#
+#   This program is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU Affero General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU Affero General Public License for more details.
+#
+#   You should have received a copy of the GNU Affero General Public License
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#++
+
+require "test_helper"
+class GitShellTest < ActiveSupport::TestCase
+  context "Sanitization" do
+    setup do
+      @shell = Gitorious::GitShell.new
+    end
+
+    should "sanitize parameters sent to it" do
+      @shell.expects(:sanitize).returns("")
+      @shell.expects(:execute).returns(nil)
+      @shell.graph_log(nil, nil)
+    end
+
+    should "remove anything but valid git object names" do
+      input = "`id>/tmp/command`"
+      assert_equal("id/tmp/command", @shell.sanitize(input))
+    end
+  end
+end