Added proper input escaping

2025-11-17 03:00:59 +01:00 · 2014-06-29 23:54:03 -03:00
parent e86fc8dd55
commit 1bef1b961d
7 changed files with 35 additions and 3 deletions
--- a/src/GitList/Application.php
+++ b/src/GitList/Application.php
@@ -69,6 +69,10 @@ class Application extends SilexApplication
            return $twig;
        }));

+        $this['escaper.argument'] = $this->share(function() {
+            return new Escaper\ArgumentEscaper();
+        });
+
        // Handle errors
        $this->error(function (\Exception $e, $code) use ($app) {
            if ($app['debug']) {
--- a/src/GitList/Controller/BlobController.php
+++ b/src/GitList/Controller/BlobController.php
@@ -43,6 +43,7 @@ class BlobController implements ControllerProviderInterface
            ));
        })->assert('repo', $app['util.routing']->getRepositoryRegex())
          ->assert('commitishPath', '.+')
+          ->convert('commitishPath', 'escaper.argument:escape')
          ->bind('blob');

        $route->get('{repo}/raw/{commitishPath}', function ($repo, $commitishPath) use ($app) {
@@ -66,6 +67,7 @@ class BlobController implements ControllerProviderInterface
            return new Response($blob, 200, $headers);
        })->assert('repo', $app['util.routing']->getRepositoryRegex())
          ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
+          ->convert('commitishPath', 'escaper.argument:escape')
          ->bind('blob_raw');

        return $route;
--- a/src/GitList/Controller/CommitController.php
+++ b/src/GitList/Controller/CommitController.php
@@ -61,6 +61,7 @@ class CommitController implements ControllerProviderInterface
        })->assert('repo', $app['util.routing']->getRepositoryRegex())
          ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
          ->value('commitishPath', null)
+          ->convert('commitishPath', 'escaper.argument:escape')
          ->bind('commits');

        $route->post('{repo}/commits/{branch}/search', function (Request $request, $repo, $branch = '') use ($app) {
@@ -89,6 +90,7 @@ class CommitController implements ControllerProviderInterface
            ));
        })->assert('repo', $app['util.routing']->getRepositoryRegex())
          ->assert('branch', $app['util.routing']->getBranchRegex())
+          ->convert('branch', 'escaper.argument:escape')
          ->bind('searchcommits');

        $route->get('{repo}/commit/{commit}', function ($repo, $commit) use ($app) {
@@ -125,6 +127,7 @@ class CommitController implements ControllerProviderInterface
            ));
        })->assert('repo', $app['util.routing']->getRepositoryRegex())
          ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
+          ->convert('commitishPath', 'escaper.argument:escape')
          ->bind('blame');

        return $route;
--- a/src/GitList/Controller/MainController.php
+++ b/src/GitList/Controller/MainController.php
@@ -48,6 +48,7 @@ class MainController implements ControllerProviderInterface
        })->assert('repo', $app['util.routing']->getRepositoryRegex())
          ->assert('branch', $app['util.routing']->getBranchRegex())
          ->value('branch', null)
+          ->convert('branch', 'escaper.argument:escape')
          ->bind('stats');

        $route->get('{repo}/{branch}/rss/', function($repo, $branch) use ($app) {
@@ -69,6 +70,7 @@ class MainController implements ControllerProviderInterface
        })->assert('repo', $app['util.routing']->getRepositoryRegex())
          ->assert('branch', $app['util.routing']->getBranchRegex())
          ->value('branch', null)
+          ->convert('branch', 'escaper.argument:escape')
          ->bind('rss');

        return $route;
--- a/src/GitList/Controller/NetworkController.php
+++ b/src/GitList/Controller/NetworkController.php
@@ -55,7 +55,7 @@ class NetworkController implements ControllerProviderInterface
                }

                $nextPageUrl = null;
-				
+
                if ($pager['last'] !== $pager['current']) {
                    $nextPageUrl = $app['url_generator']->generate(
                        'networkData',
@@ -66,10 +66,10 @@ class NetworkController implements ControllerProviderInterface
                        )
                    );
                }
-				
+
 				// when no commits are given, return an empty response - issue #369
 				if( count($commits) === 0 ) {
-					return $app->json( array( 
+					return $app->json( array(
 						'repo' => $repo,
 						'commitishPath' => $commitishPath,
 						'nextPage' => null,
@@ -91,6 +91,7 @@ class NetworkController implements ControllerProviderInterface
        )->assert('repo', $app['util.routing']->getRepositoryRegex())
        ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
        ->value('commitishPath', null)
+        ->convert('commitishPath', 'escaper.argument:escape')
        ->assert('page', '\d+')
        ->value('page', '0')
        ->bind('networkData');
@@ -119,6 +120,7 @@ class NetworkController implements ControllerProviderInterface
        )->assert('repo', $app['util.routing']->getRepositoryRegex())
        ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
        ->value('commitishPath', null)
+        ->convert('commitishPath', 'escaper.argument:escape')
        ->bind('network');

        return $route;
--- a/src/GitList/Controller/TreeController.php
+++ b/src/GitList/Controller/TreeController.php
@@ -45,6 +45,7 @@ class TreeController implements ControllerProviderInterface
            ));
        })->assert('repo', $app['util.routing']->getRepositoryRegex())
          ->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
+          ->convert('commitishPath', 'escaper.argument:escape')
          ->bind('tree');

        $route->post('{repo}/tree/{branch}/search', function (Request $request, $repo, $branch = '', $tree = '') use ($app) {
@@ -69,6 +70,7 @@ class TreeController implements ControllerProviderInterface
            ));
        })->assert('repo', $app['util.routing']->getRepositoryRegex())
          ->assert('branch', $app['util.routing']->getBranchRegex())
+          ->convert('branch', 'escaper.argument:escape')
          ->bind('search');

        $route->get('{repo}/{format}ball/{branch}', function($repo, $format, $branch) use ($app) {
@@ -95,6 +97,7 @@ class TreeController implements ControllerProviderInterface
        })->assert('format', '(zip|tar)')
          ->assert('repo', $app['util.routing']->getRepositoryRegex())
          ->assert('branch', $app['util.routing']->getBranchRegex())
+          ->convert('branch', 'escaper.argument:escape')
          ->bind('archive');


@@ -102,6 +105,7 @@ class TreeController implements ControllerProviderInterface
            return $treeController($repo, $branch);
        })->assert('repo', $app['util.routing']->getRepositoryRegex())
          ->assert('branch', $app['util.routing']->getBranchRegex())
+          ->convert('branch', 'escaper.argument:escape')
          ->bind('branch');

        $route->get('{repo}/', function($repo) use ($app, $treeController) {
--- a/src/GitList/Escaper/ArgumentEscaper.php
+++ b/src/GitList/Escaper/ArgumentEscaper.php
@@ -0,0 +1,15 @@
+<?php
+
+namespace GitList\Escaper;
+
+class ArgumentEscaper
+{
+    public function escape($argument)
+    {
+        if ($argument === null) {
+            return null;
+        }
+
+        return escapeshellcmd($argument);
+    }
+}