Skip to content

Unescape and sanitize protected tag name on create and update

Patrick Bajao requested to merge 346618-tag-protection-fix into master

What does this MR do and why?

The frontend escapes the names of tags when listing the names in the dropdown. It also submits the escaped name as the tag to protect when creating a protected tag.

To fix it, we unescape and sanitize the name so it matches the appropriate tag name to be protected.

Same fix as https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/1953 but intentionally fixing this in canonical based on https://gitlab.com/gitlab-org/gitlab/-/issues/346618#note_744644199.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Create a protected tag named tag->name with "No One" allowed to create.
  2. As any user, create a tag with tag->name, it should fail since it's protected.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #346618

Merge request reports

Loading