BigW Consortium Gitlab

Skip to content

G
gitlab-ce
Commit a738a446 by Michael Kozono
Options

Check disabled commands in GitAccess instead

parent 2d6cafa7
Showing with 68 additions and 6 deletions
app/controllers/projects/git_http_controller.rb
...@@ -76,8 +76,6 @@ class Projects::GitHttpController < Projects::GitHttpClientController ...@@ -76,8 +76,6 @@ class Projects::GitHttpController < Projects::GitHttpClientController
end end
def upload_pack_allowed? def upload_pack_allowed?
return false unless Gitlab.config.gitlab_shell.upload_pack
access_check.allowed? || ci? access_check.allowed? || ci?
end end
...@@ -96,8 +94,6 @@ class Projects::GitHttpController < Projects::GitHttpClientController ...@@ -96,8 +94,6 @@ class Projects::GitHttpController < Projects::GitHttpClientController
end end
def receive_pack_allowed? def receive_pack_allowed?
return false unless Gitlab.config.gitlab_shell.receive_pack
access_check.allowed? access_check.allowed?
end end
......
lib/gitlab/git_access.rb
...@@ -12,7 +12,9 @@ module Gitlab ...@@ -12,7 +12,9 @@ module Gitlab
no_repo: 'A repository for this project does not exist yet.', no_repo: 'A repository for this project does not exist yet.',
project_not_found: 'The project you were looking for could not be found.', project_not_found: 'The project you were looking for could not be found.',
account_blocked: 'Your account has been blocked.', account_blocked: 'Your account has been blocked.',
command_not_allowed: "The command you're trying to execute is not allowed." command_not_allowed: "The command you're trying to execute is not allowed.",
upload_pack_disabled_in_config: 'The command "git-upload-pack" is not allowed.',
receive_pack_disabled_in_config: 'The command "git-receive-pack" is not allowed.'
}.freeze }.freeze
DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }.freeze DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }.freeze
...@@ -33,6 +35,7 @@ module Gitlab ...@@ -33,6 +35,7 @@ module Gitlab
check_protocol! check_protocol!
check_active_user! check_active_user!
check_project_accessibility! check_project_accessibility!
check_command_disabled!(cmd)
check_command_existence!(cmd) check_command_existence!(cmd)
check_repository_existence! check_repository_existence!
...@@ -86,6 +89,16 @@ module Gitlab ...@@ -86,6 +89,16 @@ module Gitlab
end end
end end
def check_command_disabled!(cmd)
if http?
if upload_pack?(cmd) && !Gitlab.config.gitlab_shell.upload_pack
raise UnauthorizedError, ERROR_MESSAGES[:upload_pack_disabled_in_config]
elsif receive_pack?(cmd) && !Gitlab.config.gitlab_shell.receive_pack
raise UnauthorizedError, ERROR_MESSAGES[:receive_pack_disabled_in_config]
end
end
end
def check_command_existence!(cmd) def check_command_existence!(cmd)
unless ALL_COMMANDS.include?(cmd) unless ALL_COMMANDS.include?(cmd)
raise UnauthorizedError, ERROR_MESSAGES[:command_not_allowed] raise UnauthorizedError, ERROR_MESSAGES[:command_not_allowed]
...@@ -179,6 +192,18 @@ module Gitlab ...@@ -179,6 +192,18 @@ module Gitlab
end || Guest.can?(:read_project, project) end || Guest.can?(:read_project, project)
end end
def http?
protocol == 'http'
end
def upload_pack?(command)
command == 'git-upload-pack'
end
def receive_pack?(command)
command == 'git-receive-pack'
end
protected protected
def user def user
......
spec/lib/gitlab/git_access_spec.rb
require 'spec_helper' require 'spec_helper'
describe Gitlab::GitAccess, lib: true do describe Gitlab::GitAccess, lib: true do
let(:access) { Gitlab::GitAccess.new(actor, project, 'ssh', authentication_abilities: authentication_abilities) } let(:access) { Gitlab::GitAccess.new(actor, project, protocol, authentication_abilities: authentication_abilities) }
let(:project) { create(:project, :repository) } let(:project) { create(:project, :repository) }
let(:user) { create(:user) } let(:user) { create(:user) }
let(:actor) { user } let(:actor) { user }
let(:protocol) { 'ssh' }
let(:authentication_abilities) do let(:authentication_abilities) do
[ [
:read_project, :read_project,
...@@ -50,6 +51,46 @@ describe Gitlab::GitAccess, lib: true do ...@@ -50,6 +51,46 @@ describe Gitlab::GitAccess, lib: true do
end end
end end
describe '#check with commands disabled' do
before { project.team << [user, :master] }
context 'over http' do
let(:protocol) { 'http' }
context 'when the git-upload-pack command is disabled in config' do
before do
allow(Gitlab.config.gitlab_shell).to receive(:upload_pack).and_return(false)
end
context 'when calling git-upload-pack' do
subject { access.check('git-upload-pack', '_any') }
it { expect(subject.allowed?).to be_falsey }
it { expect(subject.message).to eq('The command "git-upload-pack" is not allowed.') }
end
context 'when calling git-receive-pack' do
it { expect(access.check('git-receive-pack', '_any').allowed?).to be_truthy }
end
end
context 'when the git-receive-pack command is disabled in config' do
before do
allow(Gitlab.config.gitlab_shell).to receive(:receive_pack).and_return(false)
end
context 'when calling git-receive-pack' do
subject { access.check('git-receive-pack', '_any') }
it { expect(subject.allowed?).to be_falsey }
it { expect(subject.message).to eq('The command "git-receive-pack" is not allowed.') }
end
context 'when calling git-upload-pack' do
it { expect(access.check('git-upload-pack', '_any').allowed?).to be_truthy }
end
end
end
end
describe '#check_download_access!' do describe '#check_download_access!' do
subject { access.check('git-upload-pack', '_any') } subject { access.check('git-upload-pack', '_any') }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment