kallithea Files · scripts/validate-commits

Files @ c7728c5736fd

Branch filter:

Location: kallithea/scripts/validate-commits - annotation

c7728c5736fd 1.4 KiB text/plain Show Source Show as Raw Download as Raw

Thomas De Schampheleire

templates: narrow down scope of webhelpers.html.literal for HTML injection

When using webhelpers.html.literal to inject some explicit HTML code with
some variable data, there are two approaches:
h.literal('some <html> code with %s data' % foobar)
or
h.literal('some <html> code with %s data') % foobar

In the first case, the literal also applies to the contents of variable
'foobar' which may be influenceable by users and thus potentially malicious.
In the second case, this term will be escaped by webhelpers.

See also the documentation:
https://docs.pylonsproject.org/projects/webhelpers/en/latest/modules/html/builder.html#webhelpers.html.builder.literal
"Also, if you add another string to this string, the other string will
be quoted and you will get back another literal object. Also
literal(...) % obj will quote any value(s) from obj."

In files_browser.html, the correction of this scope of literal() also means
that explicit escaping of node.name can be removed. The escaping is now done
automatically by webhelpers as mentioned above.

69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26
69f70de15f26

#!/usr/bin/env bash
# Validate the specified commits against test suite and other checks.

if [ -n "$VIRTUAL_ENV" ]; then
    echo "Please run this script from outside a virtualenv."
    exit 1
fi

if ! hg update --check -q .; then
    echo "Working dir is not clean, please commit/revert changes first."
    exit 1
fi

venv=$(mktemp -d kallithea-validatecommits-env-XXXXXX)
resultfile=$(mktemp kallithea-validatecommits-result-XXXXXX)
echo > "$resultfile"

cleanup()
{
    rm -rf /tmp/kallithea-test*
    rm -rf "$venv"
}
finish()
{
    cleanup
    # print (possibly intermediate) results
    cat "$resultfile"
    rm "$resultfile"
}
trap finish EXIT

for rev in $(hg log -r "$1" -T '{node}\n'); do
    hg log -r "$rev"
    hg update "$rev"

    cleanup
    virtualenv -p "$(command -v python2)" "$venv"
    source "$venv/bin/activate"
    pip install --upgrade pip setuptools
    pip install -e .
    pip install -r dev_requirements.txt
    pip install python-ldap python-pam

    # run-all-cleanup
    scripts/run-all-cleanup
    if ! hg update --check -q .; then
        echo "run-all-cleanup did not give clean results!"
        result="NOK"
        hg diff
        hg revert -a
    else
        result=" OK"
    fi
    echo "$result: $rev (run-all-cleanup)" >> "$resultfile"

    # pytest
    if py.test; then
        result=" OK"
    else
        result="NOK"
    fi
    echo "$result: $rev (pytest)" >> "$resultfile"

    deactivate
    echo
done