lix-project/hydra
3
0
Fork 6
Code Issues 2 Pull requests Packages Projects Releases Wiki Activity

Browse source
This commit is contained in:
Eelco Dolstra 2008-11-14 13:57:17 +00:00
parent 83d6ad7aa2
commit 66f752beaf
3 changed files with 30 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/HydraFrontend/lib/HydraFrontend/Controller/Root.pm
View file

@ -11,6 +11,11 @@ use parent 'Catalyst::Controller';
__PACKAGE__->config->{namespace} = ''; __PACKAGE__->config->{namespace} = '';
# Security checking of filenames.
my $pathCompRE = "(?:[A-Za-z0-9-\+][A-Za-z0-9-\+\._]*)";
my $relPathRE = "(?:$pathCompRE(?:\/$pathCompRE)*)";
sub begin :Private { sub begin :Private {
my ( $self, $c ) = @_; my ( $self, $c ) = @_;
$c->stash->{projects} = [$c->model('DB::Projects')->search({}, {order_by => 'displayname'})]; $c->stash->{projects} = [$c->model('DB::Projects')->search({}, {order_by => 'displayname'})];
@ -74,8 +79,9 @@ sub updateProject {
my $jobsetName = $c->request->params->{"jobset-$baseName-name"}; my $jobsetName = $c->request->params->{"jobset-$baseName-name"};
die "Invalid jobset name: $jobsetName" unless $jobsetName =~ /^[[:alpha:]]\w*$/; die "Invalid jobset name: $jobsetName" unless $jobsetName =~ /^[[:alpha:]]\w*$/;
# The Nix expression path must be relative and can't contain ".." elements.
my $nixExprPath = $c->request->params->{"jobset-$baseName-nixexprpath"}; my $nixExprPath = $c->request->params->{"jobset-$baseName-nixexprpath"};
die "Invalid Nix expression path: $nixExprPath" unless $nixExprPath =~ /^\w++$/; # !!! stricter die "Invalid Nix expression path: $nixExprPath" if $nixExprPath !~ /^$relPathRE$/;
my $nixExprInput = $c->request->params->{"jobset-$baseName-nixexprinput"}; my $nixExprInput = $c->request->params->{"jobset-$baseName-nixexprinput"};
die "Invalid Nix expression input name: $nixExprInput" unless $nixExprInput =~ /^\w+$/; die "Invalid Nix expression input name: $nixExprInput" unless $nixExprInput =~ /^\w+$/;
@ -294,9 +300,7 @@ sub download :Local {
# Security paranoia. # Security paranoia.
foreach my $elem (@path) { foreach my $elem (@path) {
if ($elem eq "." || $elem eq ".." || $elem !~ /^[\w\-\.]+$/) { return error($c, "Invalid filename $elem.") if $elem !~ /^$pathCompRE$/;
return error($c, "Invalid filename $elem.");
}
} }
my $path = $product->path; my $path = $product->path;

27
src/HydraFrontend/root/hydra.css
View file

@ -16,12 +16,11 @@ h1 {
h2 { h2 {
font-size: 130%; font-size: 130%;
margin-top: 2em; margin-top: 1em;
} }
h3 { h3 {
font-size: 100%; font-size: 100%;
margin-top: 1.5em;
} }
table { table {
@ -181,14 +180,30 @@ tr.runningJob {
margin-left: 3em; margin-left: 3em;
} }
div.indent {
padding-left: 2em;
}
div.template { div.template {
display: none; display: none;
} }
div.jobset {
border: solid black 1px;
padding-left: 1em;
padding-right: 1em;
padding-bottom: 1em;
margin-bottom: 1em;
}
div.jobset-edit {
border: solid black 1px;
background-color: #f8f8f8;
padding-left: 1em;
padding-right: 1em;
margin-bottom: 1em;
}
div.jobset-edit h3, div.jobset h3 {
margin-top: 0.5em;
}
/* Sortable tables */ /* Sortable tables */

5
src/HydraFrontend/root/project.tt
View file

@ -13,12 +13,10 @@
[% BLOCK renderJobset %] [% BLOCK renderJobset %]
<div class="jobset"> <div class="jobset[% IF edit %] jobset-edit[% END %]">
<h3>[% IF jobset %]Jobset <tt>[% jobset.name %]</tt>[% ELSE %]New jobset[% END %]</h3> <h3>[% IF jobset %]Jobset <tt>[% jobset.name %]</tt>[% ELSE %]New jobset[% END %]</h3>
<div class="indent">
<h4>Information</h4> <h4>Information</h4>
<table> <table>
@ -90,7 +88,6 @@
[% END %] [% END %]
</div> </div>
</div>
[% END %] [% END %]