Sanitize branch name and ref name

334fe865 · Marin Jankovski · 9eb571f0 · 334fe865
Commit 334fe865 authored 10 years ago by Marin Jankovski
--- a/app/controllers/projects/branches_controller.rb
+++ b/app/controllers/projects/branches_controller.rb
 class Projects::BranchesController < Projects::ApplicationController
+  include ActionView::Helpers::SanitizeHelper
  # Authorize
  before_filter :require_non_empty_project
  
@@ -16,8 +17,10 @@ class Projects::BranchesController < Projects::ApplicationController
  end
  
  def create
+    branch_name = sanitize(strip_tags(params[:branch_name]))
+    ref = sanitize(strip_tags(params[:ref]))
    result = CreateBranchService.new(project, current_user).
-        execute(params[:branch_name], params[:ref])
+        execute(branch_name, ref)
  
    if result[:status] == :success
      @branch = result[:branch]