Changeset - 48b9fdef5e7f
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich (mads) - 5 years ago 2020-11-11 17:03:40
mads@kiilerich.com
repo_groups: extra escape of names when used in select drop-downs

The lack of escaping could be a problem *if* it was possible to create repo
groups with dangerous names.

This was seen for example when specifying parent group of repos and repo
groups.

We want to keep groups_choices as HTML literals so paths can use » as
separator.
1 file changed with 2 insertions and 1 deletions:
kallithea/model/db.py
2
1
0 comments (0 inline, 0 general)
kallithea/model/db.py
Show inline comments
 
@@ -1386,51 +1386,52 @@ class RepoGroup(Base, BaseDbModel):
 
    def query(cls, sorted=False):
 
        """Add RepoGroup-specific helpers for common query constructs.
 

			




	
	
	
		
 
        sorted: if True, apply the default ordering (name, case insensitive).

			




	
	
	
		
 
        """

			




	
	
	
		
 
        q = super(RepoGroup, cls).query()

			




	
	
	
		
 

			




	
	
	
		
 
        if sorted:

			




	
	
	
		
 
            q = q.order_by(sqlalchemy.func.lower(RepoGroup.group_name))

			




	
	
	
		
 

			




	
	
	
		
 
        return q

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, group_name='', parent_group=None):

			




	
	
	
		
 
        self.group_name = group_name

			




	
	
	
		
 
        self.parent_group = parent_group

			




	
	
	
		
 

			




	
	
	
		
 
    def __repr__(self):

			




	
	
	
		
 
        return "<%s %s: %s>" % (self.__class__.__name__,

			




	
	
	
		
 
                                self.group_id, self.group_name)

			




	
	
	
		
 

			




	
	
	
		
 
    @classmethod

			




	
	
	
		
 
    def _generate_choice(cls, repo_group):

			




	
	
	
		
 
        """Return tuple with group_id and name as html literal"""

			




	
	
	
		
 
        from webhelpers2.html import literal

			




	
	
	
		
 
        import kallithea.lib.helpers as h

			




	
	
	
		
 
        if repo_group is None:

			




	
	
	
		
 
            return (-1, '-- %s --' % _('top level'))

			




	
	
	
		
 
        return repo_group.group_id, literal(cls.SEP.join(repo_group.full_path_splitted))

			




	
	
	
		
 
        return repo_group.group_id, literal(cls.SEP.join(h.html_escape(x) for x in repo_group.full_path_splitted))

			




	
	
	
		
 

			




	
	
	
		
 
    @classmethod

			




	
	
	
		
 
    def groups_choices(cls, groups):

			




	
	
	
		
 
        """Return tuples with group_id and name as html literal."""

			




	
	
	
		
 
        return sorted((cls._generate_choice(g) for g in groups),

			




	
	
	
		
 
                      key=lambda c: c[1].split(cls.SEP))

			




	
	
	
		
 

			




	
	
	
		
 
    @classmethod

			




	
	
	
		
 
    def guess_instance(cls, value):

			




	
	
	
		
 
        return super(RepoGroup, cls).guess_instance(value, RepoGroup.get_by_group_name)

			




	
	
	
		
 

			




	
	
	
		
 
    @classmethod

			




	
	
	
		
 
    def get_by_group_name(cls, group_name, case_insensitive=False):

			




	
	
	
		
 
        group_name = group_name.rstrip('/')

			




	
	
	
		
 
        if case_insensitive:

			




	
	
	
		
 
            gr = cls.query() \

			




	
	
	
		
 
                .filter(sqlalchemy.func.lower(cls.group_name) == sqlalchemy.func.lower(group_name))

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            gr = cls.query() \

			




	
	
	
		
 
                .filter(cls.group_name == group_name)

			




	
	
	
		
 
        return gr.scalar()

			




	
	
	
		
 

			




	
	
	
		
 
    @property

			




	
	
	
		
 
    def parents(self):

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        Server instance: clio-12651
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.
            – Support