Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
de433463
Commit
de433463
authored
Nov 09, 2016
by
Robert Speicher
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add more highlighting to Shell Commands doc
[ci skip]
parent
57f9ee0b
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
4 additions
and
4 deletions
+4
-4
doc/development/shell_commands.md
doc/development/shell_commands.md
+4
-4
No files found.
doc/development/shell_commands.md
View file @
de433463
...
@@ -129,7 +129,7 @@ Various methods for opening and reading files in Ruby can be used to read the
...
@@ -129,7 +129,7 @@ Various methods for opening and reading files in Ruby can be used to read the
standard output of a process instead of a file. The following two commands do
standard output of a process instead of a file. The following two commands do
roughly the same:
roughly the same:
```
```
ruby
`touch /tmp/pawned-by-backticks`
`touch /tmp/pawned-by-backticks`
File
.
read
(
'|touch /tmp/pawned-by-file-read'
)
File
.
read
(
'|touch /tmp/pawned-by-file-read'
)
```
```
...
@@ -142,7 +142,7 @@ attacker cannot control the start of the filename string you are opening. For
...
@@ -142,7 +142,7 @@ attacker cannot control the start of the filename string you are opening. For
instance, the following is sufficient to protect against accidentally starting
instance, the following is sufficient to protect against accidentally starting
a shell command with
`|`
:
a shell command with
`|`
:
```
```
ruby
# we assume repo_path is not controlled by the attacker (user)
# we assume repo_path is not controlled by the attacker (user)
path
=
File
.
join
(
repo_path
,
user_input
)
path
=
File
.
join
(
repo_path
,
user_input
)
# path cannot start with '|' now.
# path cannot start with '|' now.
...
@@ -160,7 +160,7 @@ Path traversal is a security where the program (GitLab) tries to restrict user
...
@@ -160,7 +160,7 @@ Path traversal is a security where the program (GitLab) tries to restrict user
access to a certain directory on disk, but the user manages to open a file
access to a certain directory on disk, but the user manages to open a file
outside that directory by taking advantage of the
`../`
path notation.
outside that directory by taking advantage of the
`../`
path notation.
```
```
ruby
# Suppose the user gave us a path and they are trying to trick us
# Suppose the user gave us a path and they are trying to trick us
user_input
=
'../other-repo.git/other-file'
user_input
=
'../other-repo.git/other-file'
...
@@ -177,7 +177,7 @@ File.open(full_path) do # Oops!
...
@@ -177,7 +177,7 @@ File.open(full_path) do # Oops!
A good way to protect against this is to compare the full path with its
A good way to protect against this is to compare the full path with its
'absolute path' according to Ruby's
`File.absolute_path`
.
'absolute path' according to Ruby's
`File.absolute_path`
.
```
```
ruby
full_path
=
File
.
join
(
repo_path
,
user_input
)
full_path
=
File
.
join
(
repo_path
,
user_input
)
if
full_path
!=
File
.
absolute_path
(
full_path
)
if
full_path
!=
File
.
absolute_path
(
full_path
)
raise
"Invalid path:
#{
full_path
.
inspect
}
"
raise
"Invalid path:
#{
full_path
.
inspect
}
"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment