Improve files API. Relative path check added. Create dir for new file if missing

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Improve files API. Relative path check added. Create dir for new file if missing
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Dmitriy Zaporozhets
1 parent a1d88f0f
Showing 4 changed files with 25 additions and 3 deletions Show diff stats
lib/gitlab/satellite/files/delete_file_action.rb
lib/gitlab/satellite/files/edit_file_action.rb
lib/gitlab/satellite/files/file_action.rb
lib/gitlab/satellite/files/new_file_action.rb
@@ -17,6 +17,13 @@ module Gitlab
  
           # update the file in the satellite's working dir
           file_path_in_satellite = File.join(repo.working_dir, file_path)
+
+          # Prevent relative links
+          unless safe_path?(file_path_in_satellite)
+            Gitlab::GitLogger.error("FileAction: Relative path not allowed")
+            return false
+          end
+
           File.delete(file_path_in_satellite)
  
           # add removed file
@@ -19,6 +19,13 @@ module Gitlab
  
           # update the file in the satellite's working dir
           file_path_in_satellite = File.join(repo.working_dir, file_path)
+
+          # Prevent relative links
+          unless safe_path?(file_path_in_satellite)
+            Gitlab::GitLogger.error("FileAction: Relative path not allowed")
+            return false
+          end
+
           File.open(file_path_in_satellite, 'w') { |f| f.write(content) }
  
           # commit the changes
@@ -8,6 +8,10 @@ module Gitlab
         @file_path = file_path
         @ref = ref
       end
+
+      def safe_path?(path)
+        File.absolute_path(path) == path
+      end
     end
   end
 end
@@ -16,15 +16,19 @@ module Gitlab
           # create target branch in satellite at the corresponding commit from bare repo
           repo.git.checkout({raise: true, timeout: true, b: true}, ref, "origin/#{ref}")
  
-          # update the file in the satellite's working dir
           file_path_in_satellite = File.join(repo.working_dir, file_path)
+          dir_name_in_satellite = File.dirname(file_path_in_satellite)
  
           # Prevent relative links
-          unless File.absolute_path(file_path_in_satellite) == file_path_in_satellite
-            Gitlab::GitLogger.error("NewFileAction: Relative path not allowed")
+          unless safe_path?(file_path_in_satellite)
+            Gitlab::GitLogger.error("FileAction: Relative path not allowed")
             return false
           end
  
+          # Create dir if not exists
+          FileUtils.mkdir_p(dir_name_in_satellite)
+
+          # Write file
           File.open(file_path_in_satellite, 'w') { |f| f.write(content) }
  
           # add new file
...	...	@@ -17,6 +17,13 @@ module Gitlab
17	17
18	18	# update the file in the satellite's working dir
19	19	file_path_in_satellite = File.join(repo.working_dir, file_path)
	20	+
	21	+ # Prevent relative links
	22	+ unless safe_path?(file_path_in_satellite)
	23	+ Gitlab::GitLogger.error("FileAction: Relative path not allowed")
	24	+ return false
	25	+ end
	26	+
20	27	File.delete(file_path_in_satellite)
21	28
22	29	# add removed file
...	...
...	...	@@ -19,6 +19,13 @@ module Gitlab
19	19
20	20	# update the file in the satellite's working dir
21	21	file_path_in_satellite = File.join(repo.working_dir, file_path)
	22	+
	23	+ # Prevent relative links
	24	+ unless safe_path?(file_path_in_satellite)
	25	+ Gitlab::GitLogger.error("FileAction: Relative path not allowed")
	26	+ return false
	27	+ end
	28	+
22	29	File.open(file_path_in_satellite, 'w') { \|f\| f.write(content) }
23	30
24	31	# commit the changes
...	...
...	...	@@ -8,6 +8,10 @@ module Gitlab
8	8	@file_path = file_path
9	9	@ref = ref
10	10	end
	11	+
	12	+ def safe_path?(path)
	13	+ File.absolute_path(path) == path
	14	+ end
11	15	end
12	16	end
13	17	end
...	...
...	...	@@ -16,15 +16,19 @@ module Gitlab
16	16	# create target branch in satellite at the corresponding commit from bare repo
17	17	repo.git.checkout({raise: true, timeout: true, b: true}, ref, "origin/#{ref}")
18	18
19		- # update the file in the satellite's working dir
20	19	file_path_in_satellite = File.join(repo.working_dir, file_path)
	20	+ dir_name_in_satellite = File.dirname(file_path_in_satellite)
21	21
22	22	# Prevent relative links
23		- unless File.absolute_path(file_path_in_satellite) == file_path_in_satellite
24		- Gitlab::GitLogger.error("NewFileAction: Relative path not allowed")
	23	+ unless safe_path?(file_path_in_satellite)
	24	+ Gitlab::GitLogger.error("FileAction: Relative path not allowed")
25	25	return false
26	26	end
27	27
	28	+ # Create dir if not exists
	29	+ FileUtils.mkdir_p(dir_name_in_satellite)
	30	+
	31	+ # Write file
28	32	File.open(file_path_in_satellite, 'w') { \|f\| f.write(content) }
29	33
30	34	# add new file
...	...