BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
de433463
Commit
de433463
authored
Nov 09, 2016
by
Robert Speicher
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add more highlighting to Shell Commands doc
[ci skip]
parent
57f9ee0b
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
4 additions
and
4 deletions
+4
-4
shell_commands.md
doc/development/shell_commands.md
+4
-4
No files found.
doc/development/shell_commands.md
View file @
de433463
...
...
@@ -129,7 +129,7 @@ Various methods for opening and reading files in Ruby can be used to read the
standard output of a process instead of a file. The following two commands do
roughly the same:
```
```
ruby
`touch /tmp/pawned-by-backticks`
File
.
read
(
'|touch /tmp/pawned-by-file-read'
)
```
...
...
@@ -142,7 +142,7 @@ attacker cannot control the start of the filename string you are opening. For
instance, the following is sufficient to protect against accidentally starting
a shell command with
`|`
:
```
```
ruby
# we assume repo_path is not controlled by the attacker (user)
path
=
File
.
join
(
repo_path
,
user_input
)
# path cannot start with '|' now.
...
...
@@ -160,7 +160,7 @@ Path traversal is a security where the program (GitLab) tries to restrict user
access to a certain directory on disk, but the user manages to open a file
outside that directory by taking advantage of the
`../`
path notation.
```
```
ruby
# Suppose the user gave us a path and they are trying to trick us
user_input
=
'../other-repo.git/other-file'
...
...
@@ -177,7 +177,7 @@ File.open(full_path) do # Oops!
A good way to protect against this is to compare the full path with its
'absolute path' according to Ruby's
`File.absolute_path`
.
```
```
ruby
full_path
=
File
.
join
(
repo_path
,
user_input
)
if
full_path
!=
File
.
absolute_path
(
full_path
)
raise
"Invalid path:
#{
full_path
.
inspect
}
"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment