Stricter validation of given revisions of repositories (#35085).

Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@20962 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Go MAEDA <maeda@farend.jp> 2021-04-23 00:46:45 +0000
committer: Go MAEDA <maeda@farend.jp> 2021-04-23 00:46:45 +0000
commit: 1cf427ee6380045c8f93216b80f63890926508af (patch)
tree: ad85acd7660d2b30d9a3bdb30c75715d1d6b0eee /lib
parent: ccd00df71ca30e8f10c8642b7a16763a6e19f6f2 (diff)
download: redmine-1cf427ee6380045c8f93216b80f63890926508af.tar.gz
redmine-1cf427ee6380045c8f93216b80f63890926508af.zip
3 files changed, 29 insertions, 0 deletions
diff --git a/lib/redmine/scm/adapters/abstract_adapter.rb b/lib/redmine/scm/adapters/abstract_adapter.rb
index dae621866..d0c3293a6 100644
--- a/lib/redmine/scm/adapters/abstract_adapter.rb
+++ b/lib/redmine/scm/adapters/abstract_adapter.rb
@@ -176,6 +176,14 @@ module Redmine
           (path[-1, 1] == "/") ? path[0..-2] : path
         end
 
+        def valid_name?(name)
+          return true if name.nil?
+          return true if name.is_a?(Integer) && name > 0
+          return true if name.is_a?(String) && name =~ /\A[0-9]*\z/
+
+          false
+        end
+
         private
 
         def retrieve_root_url
diff --git a/lib/redmine/scm/adapters/git_adapter.rb b/lib/redmine/scm/adapters/git_adapter.rb
index b85bd0296..363476cd4 100644
--- a/lib/redmine/scm/adapters/git_adapter.rb
+++ b/lib/redmine/scm/adapters/git_adapter.rb
@@ -420,6 +420,18 @@ module Redmine
           nil
         end
 
+        def valid_name?(name)
+          return false unless name.is_a?(String)
+
+          return false if name.start_with?('-', '/', 'refs/heads/', 'refs/remotes/')
+          return false if name == 'HEAD'
+
+          git_cmd ['show-ref', '--heads', '--tags', '--quiet', '--', name]
+          true
+        rescue ScmCommandAborted
+          false
+        end
+
         class Revision < Redmine::Scm::Adapters::Revision
           # Returns the readable identifier
           def format_identifier
diff --git a/lib/redmine/scm/adapters/mercurial_adapter.rb b/lib/redmine/scm/adapters/mercurial_adapter.rb
index 6ab5ec69d..075636ce1 100644
--- a/lib/redmine/scm/adapters/mercurial_adapter.rb
+++ b/lib/redmine/scm/adapters/mercurial_adapter.rb
@@ -296,6 +296,15 @@ module Redmine
           Annotate.new
         end
 
+        def valid_name?(name)
+          return false unless name.nil? || name.is_a?(String)
+
+          # Mercurials names don't need to be checked further as its CLI
+          # interface is restrictive enough to reject any invalid names on its
+          # own.
+          true
+        end
+
         class Revision < Redmine::Scm::Adapters::Revision
           # Returns the readable identifier
           def format_identifier
author	Go MAEDA <maeda@farend.jp>	2021-04-23 00:46:45 +0000
committer	Go MAEDA <maeda@farend.jp>	2021-04-23 00:46:45 +0000
commit	1cf427ee6380045c8f93216b80f63890926508af (patch)
tree	ad85acd7660d2b30d9a3bdb30c75715d1d6b0eee /lib
parent	ccd00df71ca30e8f10c8642b7a16763a6e19f6f2 (diff)
download	redmine-1cf427ee6380045c8f93216b80f63890926508af.tar.gz redmine-1cf427ee6380045c8f93216b80f63890926508af.zip