Merge branch 'import-symlinks-9-2' into 'security-9-2'

Fix file disclosure via hidden symlinks using the project import (9.2) See merge request !2163

Merge branch 'import-symlinks-9-2' into 'security-9-2'
248e14ea · James Edwards-Jones · 23ba6c72 · 248e14ea · 248e14ea · 248e14ea
Commit 248e14ea authored Aug 08, 2017 by James Edwards-Jones
3 changed files
--- a/changelogs/unreleased/fix-import-symbolink-links.yml
+++ b/changelogs/unreleased/fix-import-symbolink-links.yml
+---
+title: Remove hidden symlinks from project import files
+merge_request:
+author:
--- a/lib/gitlab/import_export/file_importer.rb
+++ b/lib/gitlab/import_export/file_importer.rb
@@ -47,12 +47,16 @@ module Gitlab
      end
      def remove_symlinks!
-        Dir["#{@shared.export_path}/**/*"].each do |path|
+        extracted_files.each do |path|
          FileUtils.rm(path) if File.lstat(path).symlink?
        end
        true
      end
+      def extracted_files
+        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ /.*\/\.{1,2}$/ }
+      end
    end
  end
 end
--- a/spec/lib/gitlab/import_export/file_importer_spec.rb
+++ b/spec/lib/gitlab/import_export/file_importer_spec.rb
@@ -5,6 +5,7 @@ describe Gitlab::ImportExport::FileImporter, lib: true do
  let(:export_path) { "#{Dir.tmpdir}/file_importer_spec" }
  let(:valid_file) { "#{shared.export_path}/valid.json" }
  let(:symlink_file) { "#{shared.export_path}/invalid.json" }
+  let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
  let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
  before do
@@ -25,6 +26,10 @@ describe Gitlab::ImportExport::FileImporter, lib: true do
    expect(File.exist?(symlink_file)).to be false
  end
+  it 'removes hidden symlinks in root folder' do
+    expect(File.exist?(hidden_symlink_file)).to be false
+  end
  it 'removes symlinks in subfolders' do
    expect(File.exist?(subfolder_symlink_file)).to be false
  end