story #9525 use full regexp instead of wildcards
git admin
use full regexp instead of wildcards

I can fine tune my management rules

Git repository settings modifications:

  • In Permissions, when "Fine grain" is activated, there is a new checkbox to activate "regexp"
    • There is an info & warning message that inform users that by enabling this option, they might end up in a non working state (eg. a non terminated regexp). Invalid regexp will be ignored without errors.
  • When the "regexp" checkbox is unticked, all defined rules are checked to match default wildcard validator and invalid rules are discarded
    • There is a confirmation dialog to inform users about it
  • Activation of "regexp" mode is traced in "Project history" as well as regexp changes (as it's already done for wildcards)
  • On save, some basic formatting rules are checked (eg. "\n" is forbidden to avoid injecting crafted rules or attacks inside gitolite config)

Git fork screen

  • It's not possible to activate "regexp" during repository fork.

Default git template (project level)

  • Git administrators can activate the regexp for the permission template defined at project level (with the same constraints & behaviour than for project settings define beforehand)
  • This setting is inherited at project creation if defined in project template

Site admin modifications:

  • As regexp might be used to trigger a regexp based DoS attack, the site admin must activate this option at site level before been usable in projects
  • The option is disabled by default
  • If site admin descativate the option after it's been used in projects, there is no impact on existing projects. However when those projects will try to update their permissions after the desactivation, the regexp will be discarded
    • When this situation is detected ("use regexp activate in repo but disabled on platform"), there is a special message to warn git administrator that after update the invalid permissions will be removed
    • It also apply for the repository template at project level
  • [ ] Does it involves User Interface? 
  • [ ] Are there any mockups?
  • [ ] Are permissions checked?
  • [ ] Does it need Javascript development?
  • [ ] Does it need a forge upgrade bucket?
  • [ ] Does it need to execute things in system events?
  • [ ] Does it impact project creation (templates)?
  • [ ] Is it exploratory?
Manuel Vacelet (vaceletm)
2016-12-06 22:18
2016-09-29 11:18

Referencing story #9525

Git commit


Site admin option for regexp 6f5768d702
Add checkbox in permission form 91673bd4b4
Checkbox can be checked 30c2c9cfa9
in admin section regexp checkbox shouldn't be checked c2aafc11ca
Refactoring for regexp - introducing new object pattern validator 1fec91135f
Take regexp in account a54ac3106b
Uncheck repository regexp d4e334e424
You can choose to activate regexp even when admin doesn't allow it d245b6aac4
Log in project history regexp activation at repository level 310b511dbd
Pattern must end with $ 704aa900f0
Uncheck regexp in admin view 45522f5579
Activating and add regexp in same time should be allowed e1c62d6ede
Add a warning in admin section to warn administrators of regex danger activation d2c258f5df
Enabling or disabling regular expressions for Git branches/tags ACL must be protected against CSRF ed0823ee90
Check regexp in admin view d350cb3200
Inherit regexp permission during repository creation cb7289a759
Inherit during project creation 1119ea332c
Regexp checkbox can be unchecked at global level e70d86c687
Add logs when enabling regexp at global level 1b031acef5
Rename defaut in template in UI 705965e597
Refactoring: rename default by template (part 01) 0576a4d2d3
Refactoring: rename RegexpDefaultDao into RegexpTemplateDao d1a3fa09f0
Refactoring: rename DefaultPermissionsUpdater 9a8a6b83fb
Refactoring: rename 2 more classes d1a87d90af


User avatar