diff --git a/changelogs/unreleased/security-group-import-file-enuming.yml b/changelogs/unreleased/security-group-import-file-enuming.yml
new file mode 100644
index 0000000000000000000000000000000000000000..efdff7e84e9ff78a89b4916ed434d88d004aabcd
--- /dev/null
+++ b/changelogs/unreleased/security-group-import-file-enuming.yml
@@ -0,0 +1,5 @@
+---
+title: Fix file enuming using Group Import
+merge_request:
+author:
+type: security
diff --git a/lib/api/group_import.rb b/lib/api/group_import.rb
index ed52506de147c1a2fa5bfafbd8943b4fda4ed60a..ec51c2f44c32d0578cbd9ca719300d9d4a71f35d 100644
--- a/lib/api/group_import.rb
+++ b/lib/api/group_import.rb
@@ -4,6 +4,8 @@ module API
class GroupImport < Grape::API
MAXIMUM_FILE_SIZE = 50.megabytes.freeze
+ helpers Helpers::FileUploadHelpers
+
helpers do
def parent_group
find_group!(params[:parent_id]) if params[:parent_id].present?
@@ -48,29 +50,20 @@ module API
params do
requires :path, type: String, desc: 'Group path'
requires :name, type: String, desc: 'Group name'
+ requires :file, type: ::API::Validations::Types::WorkhorseFile, desc: 'The group export file to be imported'
optional :parent_id, type: Integer, desc: "The ID of the parent group that the group will be imported into. Defaults to the current user's namespace."
- optional 'file.path', type: String, desc: 'Path to locally stored body (generated by Workhorse)'
- optional 'file.name', type: String, desc: 'Real filename as send in Content-Disposition (generated by Workhorse)'
- optional 'file.type', type: String, desc: 'Real content type as send in Content-Type (generated by Workhorse)'
- optional 'file.size', type: Integer, desc: 'Real size of file (generated by Workhorse)'
- optional 'file.md5', type: String, desc: 'MD5 checksum of the file (generated by Workhorse)'
- optional 'file.sha1', type: String, desc: 'SHA1 checksum of the file (generated by Workhorse)'
- optional 'file.sha256', type: String, desc: 'SHA256 checksum of the file (generated by Workhorse)'
end
post 'import' do
authorize_create_group!
require_gitlab_workhorse!
-
- uploaded_file = UploadedFile.from_params(params, :file, ImportExportUploader.workhorse_local_upload_path)
-
- bad_request!('Unable to process group import file') unless uploaded_file
+ validate_file!
group_params = {
path: params[:path],
name: params[:name],
parent_id: params[:parent_id],
visibility_level: closest_allowed_visibility_level,
- import_export_upload: ImportExportUpload.new(import_file: uploaded_file)
+ import_export_upload: ImportExportUpload.new(import_file: params[:file])
}
group = ::Groups::CreateService.new(current_user, group_params).execute
diff --git a/spec/requests/api/group_import_spec.rb b/spec/requests/api/group_import_spec.rb
index 58bff08dcbbdc8def07a954749041b9a69e64bf6..b60a1b3f119622690d41621d82d6139c66981f4c 100644
--- a/spec/requests/api/group_import_spec.rb
+++ b/spec/requests/api/group_import_spec.rb
@@ -11,7 +11,7 @@ describe API::GroupImport do
let(:file) { File.join('spec', 'fixtures', 'group_export.tar.gz') }
let(:export_path) { "#{Dir.tmpdir}/group_export_spec" }
let(:workhorse_token) { JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256') }
- let(:workhorse_header) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => workhorse_token } }
+ let(:workhorse_headers) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => workhorse_token } }
before do
allow_next_instance_of(Gitlab::ImportExport) do |import_export|
@@ -35,7 +35,7 @@ describe API::GroupImport do
}
end
- subject { post api('/groups/import', user), params: params, headers: workhorse_header }
+ subject { upload_archive(file_upload, workhorse_headers, params) }
shared_examples 'when all params are correct' do
context 'when user is authorized to create new group' do
@@ -151,7 +151,7 @@ describe API::GroupImport do
params[:file] = file_upload
expect do
- post api('/groups/import', user), params: params, headers: workhorse_header
+ upload_archive(file_upload, workhorse_headers, params)
end.not_to change { Group.count }.from(1)
expect(response).to have_gitlab_http_status(:bad_request)
@@ -171,7 +171,7 @@ describe API::GroupImport do
context 'without a file from workhorse' do
it 'rejects the request' do
- subject
+ upload_archive(nil, workhorse_headers, params)
expect(response).to have_gitlab_http_status(:bad_request)
end
@@ -179,7 +179,7 @@ describe API::GroupImport do
context 'without a workhorse header' do
it 'rejects request without a workhorse header' do
- post api('/groups/import', user), params: params
+ upload_archive(file_upload, {}, params)
expect(response).to have_gitlab_http_status(:forbidden)
end
@@ -189,9 +189,7 @@ describe API::GroupImport do
let(:params) do
{
path: 'test-import-group',
- name: 'test-import-group',
- 'file.path' => file_upload.path,
- 'file.name' => file_upload.original_filename
+ name: 'test-import-group'
}
end
@@ -229,9 +227,7 @@ describe API::GroupImport do
{
path: 'test-import-group',
name: 'test-import-group',
- file: fog_file,
- 'file.remote_id' => file_name,
- 'file.size' => fog_file.size
+ file: fog_file
}
end
@@ -245,10 +241,21 @@ describe API::GroupImport do
include_examples 'when some params are missing'
end
end
+
+ def upload_archive(file, headers = {}, params = {})
+ workhorse_finalize(
+ api('/groups/import', user),
+ method: :post,
+ file_key: :file,
+ params: params.merge(file: file),
+ headers: headers,
+ send_rewritten_field: true
+ )
+ end
end
describe 'POST /groups/import/authorize' do
- subject { post api('/groups/import/authorize', user), headers: workhorse_header }
+ subject { post api('/groups/import/authorize', user), headers: workhorse_headers }
it 'authorizes importing group with workhorse header' do
subject
@@ -258,7 +265,7 @@ describe API::GroupImport do
end
it 'rejects requests that bypassed gitlab-workhorse' do
- workhorse_header.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER)
+ workhorse_headers.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER)
subject
diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore
old mode 100644
new mode 100755
diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore
old mode 100644
new mode 100755