BigW Consortium Gitlab

Improve files API. Relative path check added. Create dir for new file if missing

parent a1d88f0f
...@@ -17,6 +17,13 @@ module Gitlab ...@@ -17,6 +17,13 @@ module Gitlab
# update the file in the satellite's working dir # update the file in the satellite's working dir
file_path_in_satellite = File.join(repo.working_dir, file_path) file_path_in_satellite = File.join(repo.working_dir, file_path)
# Prevent relative links
unless safe_path?(file_path_in_satellite)
Gitlab::GitLogger.error("FileAction: Relative path not allowed")
return false
end
File.delete(file_path_in_satellite) File.delete(file_path_in_satellite)
# add removed file # add removed file
......
...@@ -19,6 +19,13 @@ module Gitlab ...@@ -19,6 +19,13 @@ module Gitlab
# update the file in the satellite's working dir # update the file in the satellite's working dir
file_path_in_satellite = File.join(repo.working_dir, file_path) file_path_in_satellite = File.join(repo.working_dir, file_path)
# Prevent relative links
unless safe_path?(file_path_in_satellite)
Gitlab::GitLogger.error("FileAction: Relative path not allowed")
return false
end
File.open(file_path_in_satellite, 'w') { |f| f.write(content) } File.open(file_path_in_satellite, 'w') { |f| f.write(content) }
# commit the changes # commit the changes
......
...@@ -8,6 +8,10 @@ module Gitlab ...@@ -8,6 +8,10 @@ module Gitlab
@file_path = file_path @file_path = file_path
@ref = ref @ref = ref
end end
def safe_path?(path)
File.absolute_path(path) == path
end
end end
end end
end end
...@@ -16,15 +16,19 @@ module Gitlab ...@@ -16,15 +16,19 @@ module Gitlab
# create target branch in satellite at the corresponding commit from bare repo # create target branch in satellite at the corresponding commit from bare repo
repo.git.checkout({raise: true, timeout: true, b: true}, ref, "origin/#{ref}") repo.git.checkout({raise: true, timeout: true, b: true}, ref, "origin/#{ref}")
# update the file in the satellite's working dir
file_path_in_satellite = File.join(repo.working_dir, file_path) file_path_in_satellite = File.join(repo.working_dir, file_path)
dir_name_in_satellite = File.dirname(file_path_in_satellite)
# Prevent relative links # Prevent relative links
unless File.absolute_path(file_path_in_satellite) == file_path_in_satellite unless safe_path?(file_path_in_satellite)
Gitlab::GitLogger.error("NewFileAction: Relative path not allowed") Gitlab::GitLogger.error("FileAction: Relative path not allowed")
return false return false
end end
# Create dir if not exists
FileUtils.mkdir_p(dir_name_in_satellite)
# Write file
File.open(file_path_in_satellite, 'w') { |f| f.write(content) } File.open(file_path_in_satellite, 'w') { |f| f.write(content) }
# add new file # add new file
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment