Files @ 9beef1d91c4c
Branch filter:

Location: kallithea/scripts/make-release

9beef1d91c4c 2.5 KiB text/plain Show Annotation Show as Raw Download as Raw
Mads Kiilerich
pullrequests: prevent XSS when 'Potential Reviewers' are selected and first and last names cannot be trusted

The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.

That could cause XSS issues, already when adding rogue users as reviewers on a PR.

To avoid that, make sure select2 use the default escapeMarkup function. In
addReviewMember, use .html_escape when expanding the reviewer template.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/bin/bash
set -e
set -x

cleanup()
{
  echo "Removing venv $venv"
  rm  -rf "$venv"
}

echo "Checking that you are NOT inside a virtualenv"
[ -z "$VIRTUAL_ENV" ]

venv=$(mktemp -d --tmpdir kallithea-release-XXXXX)
trap cleanup EXIT

echo "Setting up a fresh virtualenv in $venv"
virtualenv -p python2 "$venv"
. "$venv/bin/activate"

echo "Install/verify tools needed for building and uploading stuff"
pip install --upgrade -e .
pip install --upgrade -r dev_requirements.txt Sphinx-PyPI-upload

echo "Cleanup and update copyrights ... and clean checkout"
scripts/run-all-cleanup
scripts/update-copyrights.py
hg up -cr .

echo "Make release build from clean checkout in build/"
rm -rf build dist
hg archive build
cd build

echo "Check that each entry in MANIFEST.in match something"
sed -e 's/[^ ]*[ ]*\([^ ]*\).*/\1/g' MANIFEST.in | xargs ls -lad

echo "Build dist"
python2 setup.py compile_catalog
python2 setup.py sdist

echo "Verify VERSION from kallithea/__init__.py"
namerel=$(cd dist && echo Kallithea-*.tar.gz)
namerel=${namerel%.tar.gz}
version=${namerel#Kallithea-}
ls -l $(pwd)/dist/$namerel.tar.gz
echo "Releasing Kallithea $version in directory $namerel"

echo "Verify dist file content"
diff -u <((hg mani | grep -v '^\.hg') | LANG=C sort) <(tar tf dist/Kallithea-$version.tar.gz | sed "s|^$namerel/||" | grep . | grep -v '^kallithea/i18n/.*/LC_MESSAGES/kallithea.mo$\|^Kallithea.egg-info/\|^PKG-INFO$\|/$' | LANG=C sort)

echo "Verify docs build"
python2 setup.py build_sphinx # not used yet ... but we want to make sure it builds

cat - << EOT

Now, make sure
* all tests are passing
* release note is ready
* announcement is ready
* source has been pushed to https://kallithea-scm.org/repos/kallithea

EOT

echo "Verify current revision is tagged for $version"
hg log -r "'$version'&." | grep .

echo -n "Enter \"pypi\" to upload Kallithea $version to pypi: "
read answer
[ "$answer" = "pypi" ]

echo "Upload docs to pypi"
# See https://wiki.python.org/moin/PyPiDocumentationHosting
python2 setup.py build_sphinx upload_sphinx
xdg-open http://packages.python.org/Kallithea/installation.html

echo "Rebuild readthedocs for docs.kallithea-scm.org"
xdg-open https://readthedocs.org/projects/kallithea/
curl -X POST http://readthedocs.org/build/kallithea
xdg-open https://readthedocs.org/builds/kallithea/
xdg-open http://docs.kallithea-scm.org/en/latest/ # or whatever the branch is

extraargs=${EMAIL:+--identity=$EMAIL}
python2 setup.py sdist upload --sign $extraargs
xdg-open https://pypi.python.org/pypi/Kallithea
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.