Files @ 22da5f258118
Branch filter:

Location: kallithea/scripts/validate-commits

22da5f258118 1.4 KiB text/plain Show Annotation Show as Raw Download as Raw
Mads Kiilerich
pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted

The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.

That could cause XSS issues, already when loading a PR page.

To avoid that, make sure autocompleteHighlightMatch always escape user
information. That makes the user safe as long as a rogue user isn't selected ...
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env bash
# Validate the specified commits against test suite and other checks.

if [ -n "$VIRTUAL_ENV" ]; then
    echo "Please run this script from outside a virtualenv."
    exit 1
fi

if ! hg update --check -q .; then
    echo "Working dir is not clean, please commit/revert changes first."
    exit 1
fi

venv=$(mktemp -d kallithea-validatecommits-env-XXXXXX)
resultfile=$(mktemp kallithea-validatecommits-result-XXXXXX)
echo > "$resultfile"

cleanup()
{
    rm -rf /tmp/kallithea-test*
    rm -rf "$venv"
}
finish()
{
    cleanup
    # print (possibly intermediate) results
    cat "$resultfile"
    rm "$resultfile"
}
trap finish EXIT

for rev in $(hg log -r "$1" -T '{node}\n'); do
    hg log -r "$rev"
    hg update "$rev"

    cleanup
    virtualenv -p "$(command -v python2)" "$venv"
    source "$venv/bin/activate"
    pip install --upgrade pip setuptools
    pip install -e .
    pip install -r dev_requirements.txt
    pip install python-ldap python-pam

    # run-all-cleanup
    scripts/run-all-cleanup
    if ! hg update --check -q .; then
        echo "run-all-cleanup did not give clean results!"
        result="NOK"
        hg diff
        hg revert -a
    else
        result=" OK"
    fi
    echo "$result: $rev (run-all-cleanup)" >> "$resultfile"

    # pytest
    if py.test; then
        result=" OK"
    else
        result="NOK"
    fi
    echo "$result: $rev (pytest)" >> "$resultfile"

    deactivate
    echo
done
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.