Changeset - df930758dcf7
Parent rev.
Child rev.
[Not reviewed]
stable
0 2 0
Mads Kiilerich (mads) - 5 years ago 2020-11-11 16:45:42
mads@kiilerich.com
repos: extra HTML escaping of repo and repo group names shown in DataTables

These names will already have been "slugged" and can thus not contain anything
that can be used for any attack. But let's be explicitly safe and escape them
anyway.

raw_name without escaping would cause XSS *if* it was possible to create unsafe
repo names.

just_name must be escaped in order to make search work correctly - for example
if searching for '<' ... *if* it was possible for names to contain that.
2 files changed with 5 insertions and 5 deletions:
kallithea/controllers/admin/repo_groups.py
1
1
kallithea/model/repo.py
4
4
0 comments (0 inline, 0 general)
kallithea/controllers/admin/repo_groups.py
Show inline comments
 
@@ -96,49 +96,49 @@ class RepoGroupsController(BaseControlle
 
        if _new and _new[0][1] != 'group.admin' or _up and _up[0][1] != 'group.admin':
 
            return True
 
        return False
 

			




	
	
	
		
 
    def index(self, format='html'):

			




	
	
	
		
 
        _list = RepoGroup.query(sorted=True).all()

			




	
	
	
		
 
        group_iter = RepoGroupList(_list, perm_level='admin')

			




	
	
	
		
 
        repo_groups_data = []

			




	
	
	
		
 
        _tmpl_lookup = app_globals.mako_lookup

			




	
	
	
		
 
        template = _tmpl_lookup.get_template('data_table/_dt_elements.html')

			




	
	
	
		
 

			




	
	
	
		
 
        def repo_group_name(repo_group_name, children_groups):

			




	
	
	
		
 
            return template.get_def("repo_group_name") \

			




	
	
	
		
 
                .render_unicode(repo_group_name, children_groups, _=_, h=h, c=c)

			




	
	
	
		
 

			




	
	
	
		
 
        def repo_group_actions(repo_group_id, repo_group_name, gr_count):

			




	
	
	
		
 
            return template.get_def("repo_group_actions") \

			




	
	
	
		
 
                .render_unicode(repo_group_id, repo_group_name, gr_count, _=_, h=h, c=c,

			




	
	
	
		
 
                        ungettext=ungettext)

			




	
	
	
		
 

			




	
	
	
		
 
        for repo_gr in group_iter:

			




	
	
	
		
 
            children_groups = [g.name for g in repo_gr.parents] + [repo_gr.name]

			




	
	
	
		
 
            repo_count = repo_gr.repositories.count()

			




	
	
	
		
 
            repo_groups_data.append({

			




	
	
	
		
 
                "raw_name": repo_gr.group_name,

			




	
	
	
		
 
                "raw_name": h.escape(repo_gr.group_name),

			




	
	
	
		
 
                "group_name": repo_group_name(repo_gr.group_name, children_groups),

			




	
	
	
		
 
                "desc": h.escape(repo_gr.group_description),

			




	
	
	
		
 
                "repos": repo_count,

			




	
	
	
		
 
                "owner": h.person(repo_gr.owner),

			




	
	
	
		
 
                "action": repo_group_actions(repo_gr.group_id, repo_gr.group_name,

			




	
	
	
		
 
                                             repo_count)

			




	
	
	
		
 
            })

			




	
	
	
		
 

			




	
	
	
		
 
        c.data = {

			




	
	
	
		
 
            "sort": None,

			




	
	
	
		
 
            "dir": "asc",

			




	
	
	
		
 
            "records": repo_groups_data

			




	
	
	
		
 
        }

			




	
	
	
		
 

			




	
	
	
		
 
        return render('admin/repo_groups/repo_groups.html')

			




	
	
	
		
 

			




	
	
	
		
 
    def create(self):

			




	
	
	
		
 
        self.__load_defaults()

			




	
	
	
		
 

			




	
	
	
		
 
        # permissions for can create group based on parent_id are checked

			




	
	
	
		
 
        # here in the Form

			




	
	
	
		
 
        repo_group_form = RepoGroupForm(repo_groups=c.repo_groups)

			




	
	
	
		
 
        form_result = None

			




	
	
	
		
 
        try:

			




        

    


    
    

    

        

                

                    kallithea/model/repo.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -147,60 +147,60 @@ class RepoModel(object):

			




	
	
	
		
 
        def atom_lnk(repo_name):

			




	
	
	
		
 
            return _render("atom", repo_name)

			




	
	
	
		
 

			




	
	
	
		
 
        def last_rev(repo_name, cs_cache):

			




	
	
	
		
 
            return _render('revision', repo_name, cs_cache.get('revision'),

			




	
	
	
		
 
                           cs_cache.get('raw_id'), cs_cache.get('author'),

			




	
	
	
		
 
                           cs_cache.get('message'))

			




	
	
	
		
 

			




	
	
	
		
 
        def desc(desc):

			




	
	
	
		
 
            return h.urlify_text(desc, truncate=80, stylize=c.visual.stylify_metalabels)

			




	
	
	
		
 

			




	
	
	
		
 
        def state(repo_state):

			




	
	
	
		
 
            return _render("repo_state", repo_state)

			




	
	
	
		
 

			




	
	
	
		
 
        def repo_actions(repo_name):

			




	
	
	
		
 
            return _render('repo_actions', repo_name)

			




	
	
	
		
 

			




	
	
	
		
 
        def owner_actions(owner_id, username):

			




	
	
	
		
 
            return _render('user_name', owner_id, username)

			




	
	
	
		
 

			




	
	
	
		
 
        repos_data = []

			




	
	
	
		
 

			




	
	
	
		
 
        for gr in repo_groups_list or []:

			




	
	
	
		
 
            repos_data.append(dict(

			




	
	
	
		
 
                raw_name='\0' + gr.name, # sort before repositories

			




	
	
	
		
 
                just_name=gr.name,

			




	
	
	
		
 
                raw_name='\0' + h.html_escape(gr.name), # sort before repositories

			




	
	
	
		
 
                just_name=h.html_escape(gr.name),

			




	
	
	
		
 
                name=_render('group_name_html', group_name=gr.group_name, name=gr.name),

			




	
	
	
		
 
                desc=desc(gr.group_description)))

			




	
	
	
		
 

			




	
	
	
		
 
        for repo in repos_list:

			




	
	
	
		
 
            if not HasRepoPermissionLevel('read')(repo.repo_name, 'get_repos_as_dict check'):

			




	
	
	
		
 
                continue

			




	
	
	
		
 
            cs_cache = repo.changeset_cache

			




	
	
	
		
 
            row = {

			




	
	
	
		
 
                "raw_name": repo.repo_name,

			




	
	
	
		
 
                "just_name": repo.just_name,

			




	
	
	
		
 
                "raw_name": h.html_escape(repo.repo_name),

			




	
	
	
		
 
                "just_name": h.html_escape(repo.just_name),

			




	
	
	
		
 
                "name": repo_lnk(repo.repo_name, repo.repo_type,

			




	
	
	
		
 
                                 repo.repo_state, repo.private, repo.fork),

			




	
	
	
		
 
                "following": following(

			




	
	
	
		
 
                    repo.repo_id,

			




	
	
	
		
 
                    ScmModel().is_following_repo(repo.repo_name, request.authuser.user_id),

			




	
	
	
		
 
                ),

			




	
	
	
		
 
                "last_change_iso": repo.last_db_change.isoformat(),

			




	
	
	
		
 
                "last_change": last_change(repo.last_db_change),

			




	
	
	
		
 
                "last_changeset": last_rev(repo.repo_name, cs_cache),

			




	
	
	
		
 
                "last_rev_raw": cs_cache.get('revision'),

			




	
	
	
		
 
                "desc": desc(repo.description),

			




	
	
	
		
 
                "owner": h.person(repo.owner),

			




	
	
	
		
 
                "state": state(repo.repo_state),

			




	
	
	
		
 
                "rss": rss_lnk(repo.repo_name),

			




	
	
	
		
 
                "atom": atom_lnk(repo.repo_name),

			




	
	
	
		
 
            }

			




	
	
	
		
 
            if admin:

			




	
	
	
		
 
                row.update({

			




	
	
	
		
 
                    "action": repo_actions(repo.repo_name),

			




	
	
	
		
 
                    "owner": owner_actions(repo.owner_id,

			




	
	
	
		
 
                                           h.person(repo.owner))

			




	
	
	
		
 
                })

			




	
	
	
		
 
            repos_data.append(row)

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        Server instance: clio-18436
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.
            – Support