Updated regex for BuildList#prepare_extra_params

app/models/build_list.rb

@@ -747,7 +747,8 @@ class BuildList < ActiveRecord::Base
     if extra_params.present?
       params = extra_params.slice(*BuildList::EXTRA_PARAMS)
       params.update(params) do |k,v|
-        v.strip.gsub(I18n.t("activerecord.attributes.build_list.extra_params.#{k}"), '').gsub(/[^\w\s-]/, '')
+        v.strip.gsub(I18n.t("activerecord.attributes.build_list.extra_params.#{k}"), '').
+          gsub(/[^\w\s\-["']]/, '')
       end
       self.extra_params = params.select{ |k,v| v.present? }
     end

spec/models/build_list_spec.rb

@@ -291,7 +291,7 @@ describe BuildList do
 
   end
 
-  describe '#can_publish?' do
+  context '#can_publish?' do
     let(:build_list) { FactoryGirl.create(:build_list) }
 
     before do
@@ -319,7 +319,7 @@ describe BuildList do
     end
   end
 
-  describe '#can_publish_into_testing?' do
+  context '#can_publish_into_testing?' do
     let(:build_list) { FactoryGirl.create(:build_list) }
 
     before do
@@ -337,4 +337,14 @@ describe BuildList do
     end
   end
 
+  context '#prepare_extra_params' do
+    let(:build_list) { FactoryGirl.build(:build_list) }
+
+    it 'removes unsafe symbols' do
+      build_list.extra_params = { 'build_rpm' => '--test \'001\' --define "cross armv7hl"{(@' }
+      build_list.send :prepare_extra_params
+      expect(build_list.extra_params['build_rpm']).to eq '--test \'001\' --define "cross armv7hl"'
+    end
+  end
+
 end