Download as
Browse Code »

Commit 3f3b202c6efa17a8e6731ba44c5f3bf672c28672

Authored by Dmitriy Zaporozhets
1 parent a1d88f0f
Exists in master and in 4 other branches 6-8-stable, 7-0-stable, 7-0-stable-spb, spb-stable

Improve files API. Relative path check added. Create dir for new file if missing 

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Showing 4 changed files with 25 additions and 3 deletions   Show diff stats
lib/gitlab/satellite/files/delete_file_action.rb
  Diff comments   View file @3f3b202
@@ -17,6 +17,13 @@ module Gitlab @@ -17,6 +17,13 @@ module Gitlab
17 17
18 # update the file in the satellite's working dir 18 # update the file in the satellite's working dir
19 file_path_in_satellite = File.join(repo.working_dir, file_path) 19 file_path_in_satellite = File.join(repo.working_dir, file_path)
  20 +
  21 + # Prevent relative links
  22 + unless safe_path?(file_path_in_satellite)
  23 + Gitlab::GitLogger.error("FileAction: Relative path not allowed")
  24 + return false
  25 + end
  26 +
20 File.delete(file_path_in_satellite) 27 File.delete(file_path_in_satellite)
21 28
22 # add removed file 29 # add removed file
lib/gitlab/satellite/files/edit_file_action.rb
  Diff comments   View file @3f3b202
@@ -19,6 +19,13 @@ module Gitlab @@ -19,6 +19,13 @@ module Gitlab
19 19
20 # update the file in the satellite's working dir 20 # update the file in the satellite's working dir
21 file_path_in_satellite = File.join(repo.working_dir, file_path) 21 file_path_in_satellite = File.join(repo.working_dir, file_path)
  22 +
  23 + # Prevent relative links
  24 + unless safe_path?(file_path_in_satellite)
  25 + Gitlab::GitLogger.error("FileAction: Relative path not allowed")
  26 + return false
  27 + end
  28 +
22 File.open(file_path_in_satellite, 'w') { |f| f.write(content) } 29 File.open(file_path_in_satellite, 'w') { |f| f.write(content) }
23 30
24 # commit the changes 31 # commit the changes
lib/gitlab/satellite/files/file_action.rb
  Diff comments   View file @3f3b202
@@ -8,6 +8,10 @@ module Gitlab @@ -8,6 +8,10 @@ module Gitlab
8 @file_path = file_path 8 @file_path = file_path
9 @ref = ref 9 @ref = ref
10 end 10 end
  11 +
  12 + def safe_path?(path)
  13 + File.absolute_path(path) == path
  14 + end
11 end 15 end
12 end 16 end
13 end 17 end
lib/gitlab/satellite/files/new_file_action.rb
  Diff comments   View file @3f3b202
@@ -16,15 +16,19 @@ module Gitlab @@ -16,15 +16,19 @@ module Gitlab
16 # create target branch in satellite at the corresponding commit from bare repo 16 # create target branch in satellite at the corresponding commit from bare repo
17 repo.git.checkout({raise: true, timeout: true, b: true}, ref, "origin/#{ref}") 17 repo.git.checkout({raise: true, timeout: true, b: true}, ref, "origin/#{ref}")
18 18
19 - # update the file in the satellite's working dir  
20 file_path_in_satellite = File.join(repo.working_dir, file_path) 19 file_path_in_satellite = File.join(repo.working_dir, file_path)
  20 + dir_name_in_satellite = File.dirname(file_path_in_satellite)
21 21
22 # Prevent relative links 22 # Prevent relative links
23 - unless File.absolute_path(file_path_in_satellite) == file_path_in_satellite  
24 - Gitlab::GitLogger.error("NewFileAction: Relative path not allowed") 23 + unless safe_path?(file_path_in_satellite)
  24 + Gitlab::GitLogger.error("FileAction: Relative path not allowed")
25 return false 25 return false
26 end 26 end
27 27
  28 + # Create dir if not exists
  29 + FileUtils.mkdir_p(dir_name_in_satellite)
  30 +
  31 + # Write file
28 File.open(file_path_in_satellite, 'w') { |f| f.write(content) } 32 File.open(file_path_in_satellite, 'w') { |f| f.write(content) }
29 33
30 # add new file 34 # add new file