kallithea Files · .coveragerc

Files @ 109b068ba6e5

Branch filter:

Location: kallithea/.coveragerc

109b068ba6e5 1.1 KiB text/plain Show Annotation Show as Raw Download as Raw

mads

templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS

On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

[run]
omit =
    # the bin scripts are not part of the Kallithea web app
    kallithea/bin/*
    # we ship with no active extensions
    kallithea/config/rcextensions/*
    # dbmigrate is not a part of the Kallithea web app
    kallithea/lib/dbmigrate/*
    # the tests themselves should not be part of the coverage report
    kallithea/tests/*
    # the scm hooks are not run in the kallithea process
    kallithea/config/post_receive_tmpl.py
    kallithea/config/pre_receive_tmpl.py

# same omit lines should be present in sections 'run' and 'report'
[report]
omit =
    # the bin scripts are not part of the Kallithea web app
    kallithea/bin/*
    # we ship with no active extensions
    kallithea/config/rcextensions/*
    # dbmigrate is not a part of the Kallithea web app
    kallithea/lib/dbmigrate/*
    # the tests themselves should not be part of the coverage report
    kallithea/tests/*
    # the scm hooks are not run in the kallithea process
    kallithea/config/post_receive_tmpl.py
    kallithea/config/pre_receive_tmpl.py

[paths]
source =
    kallithea/
    **/workspace/*/kallithea