Commit 5e4418b2 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'fix/export-project-file-permissions' into 'security'

Fix export project file permissions issue

Fixes security concerns of https://gitlab.com/gitlab-org/gitlab-ce/issues/22757

I have just added the permissions 0700 to the creation of any of the export paths, as @jacobvosmaer suggested in https://gitlab.com/gitlab-org/gitlab-ce/issues/22757#note_16197616

After this has fixed, it could take up to 24 hours in the worse case scenario for old archives to be completely safe - This is the time `ImportExportProjectCleanupWorker` may take to remove the folders. The temporary folders will be 0700 straight away for new installations.

See merge request !2003
parents 08bab4bb 958d9f11
......@@ -3,6 +3,9 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.13.0 (unreleased)
- Speed-up group milestones show page
v 8.12.4 (unreleased)
- Set GitLab project exported file permissions to owner only
v 8.12.2 (unreleased)
- Fix Import/Export not recognising correctly the imported services.
- Respect the fork_project permission when forking projects
......
module Gitlab
module ImportExport
module CommandLineUtil
DEFAULT_MODE = 0700
def tar_czf(archive:, dir:)
tar_with_options(archive: archive, dir: dir, options: 'czf')
end
......@@ -21,6 +23,11 @@ module Gitlab
execute(%W(#{Gitlab.config.gitlab_shell.path}/bin/create-hooks) + repository_storage_paths_args)
end
def mkdir_p(path)
FileUtils.mkdir_p(path, mode: DEFAULT_MODE)
FileUtils.chmod(DEFAULT_MODE, path)
end
private
def tar_with_options(archive:, dir:, options:)
......@@ -45,7 +52,7 @@ module Gitlab
# if we are copying files, create the destination folder
destination_folder = File.file?(source) ? File.dirname(destination) : destination
FileUtils.mkdir_p(destination_folder)
mkdir_p(destination_folder)
FileUtils.copy_entry(source, destination)
true
end
......
......@@ -15,7 +15,7 @@ module Gitlab
end
def import
FileUtils.mkdir_p(@shared.export_path)
mkdir_p(@shared.export_path)
wait_for_archived_file do
decompress_archive
......
module Gitlab
module ImportExport
class ProjectTreeSaver
include Gitlab::ImportExport::CommandLineUtil
attr_reader :full_path
def initialize(project:, shared:)
......@@ -10,7 +12,7 @@ module Gitlab
end
def save
FileUtils.mkdir_p(@shared.export_path)
mkdir_p(@shared.export_path)
File.write(full_path, project_json_tree)
true
......
......@@ -12,7 +12,7 @@ module Gitlab
def restore
return true unless File.exist?(@path_to_bundle)
FileUtils.mkdir_p(path_to_repo)
mkdir_p(path_to_repo)
git_unbundle(repo_path: path_to_repo, bundle_path: @path_to_bundle) && repo_restore_hooks
rescue => e
......
......@@ -20,7 +20,7 @@ module Gitlab
private
def bundle_to_disk
FileUtils.mkdir_p(@shared.export_path)
mkdir_p(@shared.export_path)
git_bundle(repo_path: path_to_repo, bundle_path: @full_path)
rescue => e
@shared.error(e)
......
module Gitlab
module ImportExport
class VersionSaver
include Gitlab::ImportExport::CommandLineUtil
def initialize(shared:)
@shared = shared
end
def save
FileUtils.mkdir_p(@shared.export_path)
mkdir_p(@shared.export_path)
File.write(version_file, Gitlab::ImportExport.version, mode: 'w')
rescue => e
......
......@@ -9,7 +9,7 @@ module Gitlab
end
def bundle_to_disk(full_path)
FileUtils.mkdir_p(@shared.export_path)
mkdir_p(@shared.export_path)
git_bundle(repo_path: path_to_repo, bundle_path: full_path)
rescue => e
@shared.error(e)
......
......@@ -47,6 +47,8 @@ feature 'Import/Export - project export integration test', feature: true, js: tr
expect(page).to have_content('Download export')
expect(file_permissions(project.export_path)).to eq(0700)
in_directory_with_expanded_export(project) do |exit_status, tmpdir|
expect(exit_status).to eq(0)
......
......@@ -130,4 +130,8 @@ module ExportFileHelper
(parsed_model_attributes - parent.keys - excluded_attributes).empty?
end
def file_permissions(file)
File.stat(file).mode & 0777
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment