Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
1ffc123d
Commit
1ffc123d
authored
Jan 16, 2019
by
Robert Speicher
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq
parents
c4cbd101
cdaef30e
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
79 additions
and
5 deletions
+79
-5
changelogs/unreleased/security-2770-verify-bundle-import-files.yml
...s/unreleased/security-2770-verify-bundle-import-files.yml
+5
-0
lib/gitlab/git/bundle_file.rb
lib/gitlab/git/bundle_file.rb
+30
-0
lib/gitlab/git/repository.rb
lib/gitlab/git/repository.rb
+5
-0
spec/fixtures/malicious.bundle
spec/fixtures/malicious.bundle
+1
-0
spec/lib/gitlab/git/bundle_file_spec.rb
spec/lib/gitlab/git/bundle_file_spec.rb
+26
-0
spec/lib/gitlab/git/repository_spec.rb
spec/lib/gitlab/git/repository_spec.rb
+12
-5
No files found.
changelogs/unreleased/security-2770-verify-bundle-import-files.yml
0 → 100644
View file @
1ffc123d
---
title
:
Validate bundle files before unpacking them
merge_request
:
author
:
type
:
security
lib/gitlab/git/bundle_file.rb
0 → 100644
View file @
1ffc123d
# frozen_string_literal: true
module
Gitlab
module
Git
class
BundleFile
# All git bundle files start with this string
#
# https://github.com/git/git/blob/v2.20.1/bundle.c#L15
MAGIC
=
"# v2 git bundle
\n
"
InvalidBundleError
=
Class
.
new
(
StandardError
)
attr_reader
:filename
def
self
.
check!
(
filename
)
new
(
filename
).
check!
end
def
initialize
(
filename
)
@filename
=
filename
end
def
check!
data
=
File
.
open
(
filename
,
'r'
)
{
|
f
|
f
.
read
(
MAGIC
.
size
)
}
raise
InvalidBundleError
,
'Invalid bundle file'
unless
data
==
MAGIC
end
end
end
end
lib/gitlab/git/repository.rb
View file @
1ffc123d
...
...
@@ -789,6 +789,11 @@ module Gitlab
end
def
create_from_bundle
(
bundle_path
)
# It's important to check that the linked-to file is actually a valid
# .bundle file as it is passed to `git clone`, which may otherwise
# interpret it as a pointer to another repository
::
Gitlab
::
Git
::
BundleFile
.
check!
(
bundle_path
)
gitaly_repository_client
.
create_from_bundle
(
bundle_path
)
end
...
...
spec/fixtures/malicious.bundle
0 → 100644
View file @
1ffc123d
gitdir: foo.git
spec/lib/gitlab/git/bundle_file_spec.rb
0 → 100644
View file @
1ffc123d
require
'spec_helper'
describe
Gitlab
::
Git
::
BundleFile
do
describe
'.check!'
do
let
(
:valid_bundle
)
{
Tempfile
.
new
}
let
(
:valid_bundle_path
)
{
valid_bundle
.
path
}
let
(
:invalid_bundle_path
)
{
Rails
.
root
.
join
(
'spec/fixtures/malicious.bundle'
)
}
after
do
valid_bundle
.
close!
end
it
'returns nil for a valid bundle'
do
valid_bundle
.
write
(
"# v2 git bundle
\n
foo bar baz
\n
"
)
valid_bundle
.
close
expect
(
described_class
.
check!
(
valid_bundle_path
)).
to
be_nil
end
it
'raises an exception for an invalid bundle'
do
expect
do
described_class
.
check!
(
invalid_bundle_path
)
end
.
to
raise_error
(
described_class
::
InvalidBundleError
)
end
end
end
spec/lib/gitlab/git/repository_spec.rb
View file @
1ffc123d
...
...
@@ -1753,22 +1753,23 @@ describe Gitlab::Git::Repository, :seed_helper do
end
describe
'#create_from_bundle'
do
let
(
:bundle_path
)
{
File
.
join
(
Dir
.
tmpdir
,
"repo-
#{
SecureRandom
.
hex
}
.bundle"
)
}
let
(
:valid_bundle_path
)
{
File
.
join
(
Dir
.
tmpdir
,
"repo-
#{
SecureRandom
.
hex
}
.bundle"
)
}
let
(
:malicious_bundle_path
)
{
Rails
.
root
.
join
(
'spec/fixtures/malicious.bundle'
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:imported_repo
)
{
project
.
repository
.
raw
}
before
do
expect
(
repository
.
bundle_to_disk
(
bundle_path
)).
to
be_truthy
expect
(
repository
.
bundle_to_disk
(
valid_
bundle_path
)).
to
be_truthy
end
after
do
FileUtils
.
rm_rf
(
bundle_path
)
FileUtils
.
rm_rf
(
valid_
bundle_path
)
end
it
'creates a repo from a bundle file'
do
expect
(
imported_repo
).
not_to
exist
result
=
imported_repo
.
create_from_bundle
(
bundle_path
)
result
=
imported_repo
.
create_from_bundle
(
valid_
bundle_path
)
expect
(
result
).
to
be_truthy
expect
(
imported_repo
).
to
exist
...
...
@@ -1776,11 +1777,17 @@ describe Gitlab::Git::Repository, :seed_helper do
end
it
'creates a symlink to the global hooks dir'
do
imported_repo
.
create_from_bundle
(
bundle_path
)
imported_repo
.
create_from_bundle
(
valid_
bundle_path
)
hooks_path
=
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
{
File
.
join
(
imported_repo
.
path
,
'hooks'
)
}
expect
(
File
.
readlink
(
hooks_path
)).
to
eq
(
Gitlab
.
config
.
gitlab_shell
.
hooks_path
)
end
it
'raises an error if the bundle is an attempted malicious payload'
do
expect
do
imported_repo
.
create_from_bundle
(
malicious_bundle_path
)
end
.
to
raise_error
(
::
Gitlab
::
Git
::
BundleFile
::
InvalidBundleError
)
end
end
describe
'#checksum'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment