BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
e390d86f
Commit
e390d86f
authored
Aug 10, 2017
by
Stan Hu
Committed by
Jose Ivan Vargas
Aug 10, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Merge branch 'jej/security-release-2017-08-10' into 'master'
Security release 2017-08-10 patch See merge request !13477
parent
54ede0b8
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
61 additions
and
1 deletion
+61
-1
fix-import-symbolink-links.yml
changelogs/unreleased/fix-import-symbolink-links.yml
+4
-0
rs-alphanumeric-ssh-params.yml
changelogs/unreleased/rs-alphanumeric-ssh-params.yml
+5
-0
file_importer.rb
lib/gitlab/import_export/file_importer.rb
+5
-1
url_blocker.rb
lib/gitlab/url_blocker.rb
+8
-0
file_importer_spec.rb
spec/lib/gitlab/import_export/file_importer_spec.rb
+5
-0
url_blocker_spec.rb
spec/lib/gitlab/url_blocker_spec.rb
+34
-0
No files found.
changelogs/unreleased/fix-import-symbolink-links.yml
0 → 100644
View file @
e390d86f
---
title
:
Remove hidden symlinks from project import files
merge_request
:
author
:
changelogs/unreleased/rs-alphanumeric-ssh-params.yml
0 → 100644
View file @
e390d86f
---
title
:
Disallow Git URLs that include a username or hostname beginning with a non-alphanumeric
character
merge_request
:
author
:
lib/gitlab/import_export/file_importer.rb
View file @
e390d86f
...
...
@@ -47,12 +47,16 @@ module Gitlab
end
def
remove_symlinks!
Dir
[
"
#{
@shared
.
export_path
}
/**/*"
]
.
each
do
|
path
|
extracted_files
.
each
do
|
path
|
FileUtils
.
rm
(
path
)
if
File
.
lstat
(
path
).
symlink?
end
true
end
def
extracted_files
Dir
.
glob
(
"
#{
@shared
.
export_path
}
/**/*"
,
File
::
FNM_DOTMATCH
).
reject
{
|
f
|
f
=~
/.*\/\.{1,2}$/
}
end
end
end
end
lib/gitlab/url_blocker.rb
View file @
e390d86f
...
...
@@ -19,6 +19,8 @@ module Gitlab
return
false
if
internal?
(
uri
)
return
true
if
blocked_port?
(
uri
.
port
)
return
true
if
blocked_user_or_hostname?
(
uri
.
user
)
return
true
if
blocked_user_or_hostname?
(
uri
.
hostname
)
server_ips
=
Resolv
.
getaddresses
(
uri
.
hostname
)
return
true
if
(
blocked_ips
&
server_ips
).
any?
...
...
@@ -37,6 +39,12 @@ module Gitlab
port
<
1024
&&
!
VALID_PORTS
.
include?
(
port
)
end
def
blocked_user_or_hostname?
(
value
)
return
false
if
value
.
blank?
value
!~
/\A\p{Alnum}/
end
def
internal?
(
uri
)
internal_web?
(
uri
)
||
internal_shell?
(
uri
)
end
...
...
spec/lib/gitlab/import_export/file_importer_spec.rb
View file @
e390d86f
...
...
@@ -5,6 +5,7 @@ describe Gitlab::ImportExport::FileImporter do
let
(
:export_path
)
{
"
#{
Dir
.
tmpdir
}
/file_importer_spec"
}
let
(
:valid_file
)
{
"
#{
shared
.
export_path
}
/valid.json"
}
let
(
:symlink_file
)
{
"
#{
shared
.
export_path
}
/invalid.json"
}
let
(
:hidden_symlink_file
)
{
"
#{
shared
.
export_path
}
/.hidden"
}
let
(
:subfolder_symlink_file
)
{
"
#{
shared
.
export_path
}
/subfolder/invalid.json"
}
before
do
...
...
@@ -25,6 +26,10 @@ describe Gitlab::ImportExport::FileImporter do
expect
(
File
.
exist?
(
symlink_file
)).
to
be
false
end
it
'removes hidden symlinks in root folder'
do
expect
(
File
.
exist?
(
hidden_symlink_file
)).
to
be
false
end
it
'removes symlinks in subfolders'
do
expect
(
File
.
exist?
(
subfolder_symlink_file
)).
to
be
false
end
...
...
spec/lib/gitlab/url_blocker_spec.rb
View file @
e390d86f
...
...
@@ -20,6 +20,34 @@ describe Gitlab::UrlBlocker do
expect
(
described_class
.
blocked_url?
(
'https://gitlab.com:25/foo/foo.git'
)).
to
be
true
end
it
'returns true for a non-alphanumeric hostname'
do
stub_resolv
aggregate_failures
do
expect
(
described_class
).
to
be_blocked_url
(
'ssh://-oProxyCommand=whoami/a'
)
# The leading character here is a Unicode "soft hyphen"
expect
(
described_class
).
to
be_blocked_url
(
'ssh://oProxyCommand=whoami/a'
)
# Unicode alphanumerics are allowed
expect
(
described_class
).
not_to
be_blocked_url
(
'ssh://ğitlab.com/a'
)
end
end
it
'returns true for a non-alphanumeric username'
do
stub_resolv
aggregate_failures
do
expect
(
described_class
).
to
be_blocked_url
(
'ssh://-oProxyCommand=whoami@example.com/a'
)
# The leading character here is a Unicode "soft hyphen"
expect
(
described_class
).
to
be_blocked_url
(
'ssh://oProxyCommand=whoami@example.com/a'
)
# Unicode alphanumerics are allowed
expect
(
described_class
).
not_to
be_blocked_url
(
'ssh://ğitlab@example.com/a'
)
end
end
it
'returns true for invalid URL'
do
expect
(
described_class
.
blocked_url?
(
'http://:8080'
)).
to
be
true
end
...
...
@@ -28,4 +56,10 @@ describe Gitlab::UrlBlocker do
expect
(
described_class
.
blocked_url?
(
'https://gitlab.com/foo/foo.git'
)).
to
be
false
end
end
# Resolv does not support resolving UTF-8 domain names
# See https://bugs.ruby-lang.org/issues/4270
def
stub_resolv
allow
(
Resolv
).
to
receive
(
:getaddresses
).
and_return
([])
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment