Merge pull request #7626 from martenson/18.09.backport-xss (d20cbad4) · Commits · NDIP / Galaxy

lib/galaxy/webapps/tool_shed/controllers/repository.py

+17 −7

Original line number	Diff line number	Diff line
		@@ -1721,6 +1721,7 @@ class RepositoryController(BaseUIController, ratings_util.ItemRatings):
		user_id = kwd.get('user_id', None)
		repository_id = kwd.get('repository_id', None)
		changeset_revision = kwd.get('changeset_revision', None)
		self.validate_changeset_revision(trans, changeset_revision, repository_id)
		return trans.fill_template('/webapps/tool_shed/index.mako',
		repository_metadata=repository_metadata,
		can_administer_repositories=can_administer_repositories,
		@@ -2167,6 +2168,7 @@ class RepositoryController(BaseUIController, ratings_util.ItemRatings):
		status = kwd.get('status', 'done')
		repository = repository_util.get_repository_in_tool_shed(trans.app, repository_id)
		changeset_revision = kwd.get('changeset_revision', repository.tip(trans.app))
		self.validate_changeset_revision(trans, changeset_revision, repository_id)
		repository_metadata = metadata_util.get_repository_metadata_by_changeset_revision(trans.app, repository_id, changeset_revision)
		if repository_metadata:
		repository_metadata_id = trans.security.encode_id(repository_metadata.id),
		@@ -2801,13 +2803,7 @@ class RepositoryController(BaseUIController, ratings_util.ItemRatings):
		repo = hg_util.get_repo_for_repository(trans.app, repository=repository)
		avg_rating, num_ratings = self.get_ave_item_rating_data(trans.sa_session, repository, webapp_model=trans.model)
		changeset_revision = kwd.get('changeset_revision', repository.tip(trans.app))
		if not hg_util.get_changectx_for_changeset(repo, changeset_revision):
		message = 'Invalid changeset revision'
		return trans.response.send_redirect(web.url_for(controller='repository',
		action='index',
		repository_id=id,
		message=message,
		status='error'))
		self.validate_changeset_revision(trans, changeset_revision, id)
		repository.share_url = repository_util.generate_sharable_link_for_repository_in_tool_shed(repository, changeset_revision=changeset_revision)
		repository.clone_url = common_util.generate_clone_url_for_repository_in_tool_shed(trans.user, repository)
		display_reviews = kwd.get('display_reviews', False)
		@@ -2902,6 +2898,7 @@ class RepositoryController(BaseUIController, ratings_util.ItemRatings):
		tool_lineage = []
		tool = None
		guid = None
		self.validate_changeset_revision(trans, changeset_revision, repository_id)
		revision_label = hg_util.get_revision_label(trans.app, repository, changeset_revision, include_date=False)
		repository_metadata = metadata_util.get_repository_metadata_by_changeset_revision(trans.app, repository_id, changeset_revision)
		if repository_metadata:
		@@ -2989,3 +2986,16 @@ class RepositoryController(BaseUIController, ratings_util.ItemRatings):
		metadata=metadata,
		message=message,
		status=status)

		def validate_changeset_revision(self, trans, changeset_revision, repository_id):
		"""In case changeset revision is invalid send them to the repository page"""
		if changeset_revision:
		repository = repository_util.get_repository_in_tool_shed(trans.app, repository_id)
		repo = hg_util.get_repo_for_repository(trans.app, repository=repository)
		if not hg_util.get_changectx_for_changeset(repo, changeset_revision):
		message = 'Invalid changeset revision'
		return trans.response.send_redirect(web.url_for(controller='repository',
		action='index',
		repository_id=repository_id,
		message=message,
		status='error'))

templates/message.mako

+16 −3

Original line number	Diff line number	Diff line
		<%!
		import bleach

		def inherit(context):
		if context.get('use_panels'):
		if context.get('webapp'):
		@@ -51,12 +53,23 @@

		## Render large message.
		<%def name="render_large_message( message, status )">
		<div class="${status}messagelarge" style="margin: 1em">${_(message)}</div>
		<%
		if status not in ("done", "info", "error", "warning"):
		status = "infomessagelarge"
		else:
		status = status + "messagelarge"
		%>
		<div class="${status}" style="margin: 1em">${_(bleach.clean(message))}</div>
		</%def>

		## Render a message
		<%def name="render_msg( msg, status='done' )">
		<div class="${status}message">${_(msg)}</div>
		<br/>
		<%
		if status not in ("done", "info", "error", "warning"):
		status = "infomessage"
		else:
		status = status + "message"
		%>
		<div class="${status}">${_(bleach.clean(msg))}</div>
		</%def>

test/shed_functional/base/twilltestcase.py

+4 −6

Original line number	Diff line number	Diff line
		@@ -29,7 +29,7 @@ import galaxy.model.tool_shed_install as galaxy_model
		import galaxy.util
		import galaxy.webapps.tool_shed.util.hgweb_config
		from base.testcase import FunctionalTestCase # noqa: I100,I201,I202
		from galaxy.util import unicodify # noqa: I201
		from galaxy.util import smart_str, unicodify # noqa: I201
		from galaxy.web import security # noqa: I201
		from tool_shed.util import hg_util, xml_util
		from tool_shed.util.encoding_util import tool_shed_encode
		@@ -465,11 +465,9 @@ class ShedTwillTestCase(FunctionalTestCase):
		return self.wait_for(lambda: self.get_running_datasets(), **kwds)

		def write_temp_file(self, content, suffix='.html'):
		fd, fname = tempfile.mkstemp(suffix=suffix, prefix='twilltestcase-')
		f = os.fdopen(fd, "w")
		f.write(content)
		f.close()
		return fname
		with tempfile.NamedTemporaryFile(suffix=suffix, prefix='twilltestcase-', delete=False) as fh:
		fh.write(smart_str(content))
		return fh.name

		def add_repository_review_component(self, **kwd):
		params = {

Admin message