Prevent xss attack over group name. Added regex validation for group and team name

[wvm/gitlab.git] / app / models / user_team.rb

diff --git a/app/models/user_team.rb b/app/models/user_team.rb
index 0442123..2f3091c 100644 (file)
--- a/app/models/user_team.rb
+++ b/app/models/user_team.rb
@@ -1,3 +1,15 @@
+# == Schema Information
+#
+# Table name: user_teams
+#
+#  id         :integer          not null, primary key
+#  name       :string(255)
+#  path       :string(255)
+#  owner_id   :integer
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#
+
 class UserTeam < ActiveRecord::Base
   attr_accessible :name, :owner_id, :path
 
@@ -9,15 +21,18 @@ class UserTeam < ActiveRecord::Base
   has_many :projects, through: :user_team_project_relationships
   has_many :members,  through: :user_team_user_relationships, source: :user
 
-  validates :name, presence: true, uniqueness: true
   validates :owner, presence: true
+  validates :name, presence: true, uniqueness: true,
+            length: { within: 0..255 },
+            format: { with: Gitlab::Regex.name_regex,
+                      message: "only letters, digits, spaces & '_' '-' '.' allowed." }
   validates :path, uniqueness: true, presence: true, length: { within: 1..255 },
             format: { with: Gitlab::Regex.path_regex,
                       message: "only letters, digits & '_' '-' '.' allowed. Letter should be first" }
 
   scope :with_member, ->(user){ joins(:user_team_user_relationships).where(user_team_user_relationships: {user_id: user.id}) }
   scope :with_project, ->(project){ joins(:user_team_project_relationships).where(user_team_project_relationships: {project_id: project})}
-  scope :without_project, ->(project){ where("id NOT IN (:ids)", ids: with_project(project))}
+  scope :without_project, ->(project){ where("user_teams.id NOT IN (:ids)", ids: (a = with_project(project); a.blank? ? 0 : a))}
   scope :created_by, ->(user){ where(owner_id: user) }
 
   class << self