Browse code

Added proper input escaping

Klaus Silveira authored on 30/06/2014 02:54:03
Showing 7 changed files
... ...
@@ -69,6 +69,10 @@ class Application extends SilexApplication
69 69
             return $twig;
70 70
         }));
71 71
 
72
+        $this['escaper.argument'] = $this->share(function() {
73
+            return new Escaper\ArgumentEscaper();
74
+        });
75
+
72 76
         // Handle errors
73 77
         $this->error(function (\Exception $e, $code) use ($app) {
74 78
             if ($app['debug']) {
... ...
@@ -43,6 +43,7 @@ class BlobController implements ControllerProviderInterface
43 43
             ));
44 44
         })->assert('repo', $app['util.routing']->getRepositoryRegex())
45 45
           ->assert('commitishPath', '.+')
46
+          ->convert('commitishPath', 'escaper.argument:escape')
46 47
           ->bind('blob');
47 48
 
48 49
         $route->get('{repo}/raw/{commitishPath}', function ($repo, $commitishPath) use ($app) {
... ...
@@ -66,6 +67,7 @@ class BlobController implements ControllerProviderInterface
66 66
             return new Response($blob, 200, $headers);
67 67
         })->assert('repo', $app['util.routing']->getRepositoryRegex())
68 68
           ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
69
+          ->convert('commitishPath', 'escaper.argument:escape')
69 70
           ->bind('blob_raw');
70 71
 
71 72
         return $route;
... ...
@@ -61,6 +61,7 @@ class CommitController implements ControllerProviderInterface
61 61
         })->assert('repo', $app['util.routing']->getRepositoryRegex())
62 62
           ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
63 63
           ->value('commitishPath', null)
64
+          ->convert('commitishPath', 'escaper.argument:escape')
64 65
           ->bind('commits');
65 66
 
66 67
         $route->post('{repo}/commits/{branch}/search', function (Request $request, $repo, $branch = '') use ($app) {
... ...
@@ -89,6 +90,7 @@ class CommitController implements ControllerProviderInterface
89 89
             ));
90 90
         })->assert('repo', $app['util.routing']->getRepositoryRegex())
91 91
           ->assert('branch', $app['util.routing']->getBranchRegex())
92
+          ->convert('branch', 'escaper.argument:escape')
92 93
           ->bind('searchcommits');
93 94
 
94 95
         $route->get('{repo}/commit/{commit}', function ($repo, $commit) use ($app) {
... ...
@@ -125,6 +127,7 @@ class CommitController implements ControllerProviderInterface
125 125
             ));
126 126
         })->assert('repo', $app['util.routing']->getRepositoryRegex())
127 127
           ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
128
+          ->convert('commitishPath', 'escaper.argument:escape')
128 129
           ->bind('blame');
129 130
 
130 131
         return $route;
... ...
@@ -48,6 +48,7 @@ class MainController implements ControllerProviderInterface
48 48
         })->assert('repo', $app['util.routing']->getRepositoryRegex())
49 49
           ->assert('branch', $app['util.routing']->getBranchRegex())
50 50
           ->value('branch', null)
51
+          ->convert('branch', 'escaper.argument:escape')
51 52
           ->bind('stats');
52 53
 
53 54
         $route->get('{repo}/{branch}/rss/', function($repo, $branch) use ($app) {
... ...
@@ -69,6 +70,7 @@ class MainController implements ControllerProviderInterface
69 69
         })->assert('repo', $app['util.routing']->getRepositoryRegex())
70 70
           ->assert('branch', $app['util.routing']->getBranchRegex())
71 71
           ->value('branch', null)
72
+          ->convert('branch', 'escaper.argument:escape')
72 73
           ->bind('rss');
73 74
 
74 75
         return $route;
... ...
@@ -55,7 +55,7 @@ class NetworkController implements ControllerProviderInterface
55 55
                 }
56 56
 
57 57
                 $nextPageUrl = null;
58
-				
58
+
59 59
                 if ($pager['last'] !== $pager['current']) {
60 60
                     $nextPageUrl = $app['url_generator']->generate(
61 61
                         'networkData',
... ...
@@ -66,10 +66,10 @@ class NetworkController implements ControllerProviderInterface
66 66
                         )
67 67
                     );
68 68
                 }
69
-				
69
+
70 70
 				// when no commits are given, return an empty response - issue #369
71 71
 				if( count($commits) === 0 ) {
72
-					return $app->json( array( 
72
+					return $app->json( array(
73 73
 						'repo' => $repo,
74 74
 						'commitishPath' => $commitishPath,
75 75
 						'nextPage' => null,
... ...
@@ -91,6 +91,7 @@ class NetworkController implements ControllerProviderInterface
91 91
         )->assert('repo', $app['util.routing']->getRepositoryRegex())
92 92
         ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
93 93
         ->value('commitishPath', null)
94
+        ->convert('commitishPath', 'escaper.argument:escape')
94 95
         ->assert('page', '\d+')
95 96
         ->value('page', '0')
96 97
         ->bind('networkData');
... ...
@@ -119,6 +120,7 @@ class NetworkController implements ControllerProviderInterface
119 119
         )->assert('repo', $app['util.routing']->getRepositoryRegex())
120 120
         ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
121 121
         ->value('commitishPath', null)
122
+        ->convert('commitishPath', 'escaper.argument:escape')
122 123
         ->bind('network');
123 124
 
124 125
         return $route;
... ...
@@ -45,6 +45,7 @@ class TreeController implements ControllerProviderInterface
45 45
             ));
46 46
         })->assert('repo', $app['util.routing']->getRepositoryRegex())
47 47
           ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
48
+          ->convert('commitishPath', 'escaper.argument:escape')
48 49
           ->bind('tree');
49 50
 
50 51
         $route->post('{repo}/tree/{branch}/search', function (Request $request, $repo, $branch = '', $tree = '') use ($app) {
... ...
@@ -69,6 +70,7 @@ class TreeController implements ControllerProviderInterface
69 69
             ));
70 70
         })->assert('repo', $app['util.routing']->getRepositoryRegex())
71 71
           ->assert('branch', $app['util.routing']->getBranchRegex())
72
+          ->convert('branch', 'escaper.argument:escape')
72 73
           ->bind('search');
73 74
 
74 75
         $route->get('{repo}/{format}ball/{branch}', function($repo, $format, $branch) use ($app) {
... ...
@@ -95,6 +97,7 @@ class TreeController implements ControllerProviderInterface
95 95
         })->assert('format', '(zip|tar)')
96 96
           ->assert('repo', $app['util.routing']->getRepositoryRegex())
97 97
           ->assert('branch', $app['util.routing']->getBranchRegex())
98
+          ->convert('branch', 'escaper.argument:escape')
98 99
           ->bind('archive');
99 100
 
100 101
 
... ...
@@ -102,6 +105,7 @@ class TreeController implements ControllerProviderInterface
102 102
             return $treeController($repo, $branch);
103 103
         })->assert('repo', $app['util.routing']->getRepositoryRegex())
104 104
           ->assert('branch', $app['util.routing']->getBranchRegex())
105
+          ->convert('branch', 'escaper.argument:escape')
105 106
           ->bind('branch');
106 107
 
107 108
         $route->get('{repo}/', function($repo) use ($app, $treeController) {
108 109
new file mode 100644
... ...
@@ -0,0 +1,15 @@
0
+<?php
1
+
2
+namespace GitList\Escaper;
3
+
4
+class ArgumentEscaper
5
+{
6
+    public function escape($argument)
7
+    {
8
+        if ($argument === null) {
9
+            return null;
10
+        }
11
+
12
+        return escapeshellcmd($argument);
13
+    }
14
+}