Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
3ee0710d
Commit
3ee0710d
authored
Dec 11, 2018
by
Nick Thomas
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Validate LFS hrefs before downloading them
parent
18a48e34
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
20 additions
and
0 deletions
+20
-0
app/services/projects/lfs_pointers/lfs_download_service.rb
app/services/projects/lfs_pointers/lfs_download_service.rb
+3
-0
changelogs/unreleased/security-2754-fix-lfs-import.yml
changelogs/unreleased/security-2754-fix-lfs-import.yml
+5
-0
spec/services/projects/lfs_pointers/lfs_download_service_spec.rb
...rvices/projects/lfs_pointers/lfs_download_service_spec.rb
+12
-0
No files found.
app/services/projects/lfs_pointers/lfs_download_service.rb
View file @
3ee0710d
...
...
@@ -4,6 +4,8 @@
module
Projects
module
LfsPointers
class
LfsDownloadService
<
BaseService
VALID_PROTOCOLS
=
%w[http https]
.
freeze
# rubocop: disable CodeReuse/ActiveRecord
def
execute
(
oid
,
url
)
return
unless
project
&
.
lfs_enabled?
&&
oid
.
present?
&&
url
.
present?
...
...
@@ -11,6 +13,7 @@ module Projects
return
if
LfsObject
.
exists?
(
oid:
oid
)
sanitized_uri
=
Gitlab
::
UrlSanitizer
.
new
(
url
)
Gitlab
::
UrlBlocker
.
validate!
(
sanitized_uri
.
sanitized_url
,
protocols:
VALID_PROTOCOLS
)
with_tmp_file
(
oid
)
do
|
file
|
size
=
download_and_save_file
(
file
,
sanitized_uri
)
...
...
changelogs/unreleased/security-2754-fix-lfs-import.yml
0 → 100644
View file @
3ee0710d
---
title
:
Validate LFS hrefs before downloading them
merge_request
:
author
:
type
:
security
spec/services/projects/lfs_pointers/lfs_download_service_spec.rb
View file @
3ee0710d
...
...
@@ -54,6 +54,18 @@ describe Projects::LfsPointers::LfsDownloadService do
end
end
context
'when a bad URL is used'
do
where
(
download_link:
[
'/etc/passwd'
,
'ftp://example.com'
,
'http://127.0.0.2'
])
with_them
do
it
'does not download the file'
do
expect
(
subject
).
not_to
receive
(
:download_and_save_file
)
expect
{
subject
.
execute
(
oid
,
download_link
)
}.
not_to
change
{
LfsObject
.
count
}
end
end
end
context
'when an lfs object with the same oid already exists'
do
before
do
create
(
:lfs_object
,
oid:
'oid'
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment