Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
4e589d36
Commit
4e589d36
authored
Apr 27, 2021
by
Kassio Borges
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
ImportExport: Validate URL before downloading
Ensure to validate the URL of an File before downloading it.
parent
5222fb59
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
44 additions
and
0 deletions
+44
-0
lib/gitlab/import_export/command_line_util.rb
lib/gitlab/import_export/command_line_util.rb
+15
-0
spec/lib/gitlab/import_export/command_line_util_spec.rb
spec/lib/gitlab/import_export/command_line_util_spec.rb
+29
-0
No files found.
lib/gitlab/import_export/command_line_util.rb
View file @
4e589d36
...
@@ -30,6 +30,8 @@ module Gitlab
...
@@ -30,6 +30,8 @@ module Gitlab
end
end
def
download
(
url
,
upload_path
)
def
download
(
url
,
upload_path
)
validate_url!
(
url
)
File
.
open
(
upload_path
,
'w'
)
do
|
file
|
File
.
open
(
upload_path
,
'w'
)
do
|
file
|
# Download (stream) file from the uploader's location
# Download (stream) file from the uploader's location
IO
.
copy_stream
(
URI
.
parse
(
url
).
open
,
file
)
IO
.
copy_stream
(
URI
.
parse
(
url
).
open
,
file
)
...
@@ -63,6 +65,19 @@ module Gitlab
...
@@ -63,6 +65,19 @@ module Gitlab
FileUtils
.
copy_entry
(
source
,
destination
)
FileUtils
.
copy_entry
(
source
,
destination
)
true
true
end
end
def
validate_url!
(
url
)
::
Gitlab
::
UrlBlocker
.
validate!
(
url
,
allow_localhost:
allow_local_requests?
,
allow_local_network:
allow_local_requests?
,
schemes:
%w(http https)
)
end
def
allow_local_requests?
::
Gitlab
::
CurrentSettings
.
allow_local_requests_from_web_hooks_and_services?
end
end
end
end
end
end
end
spec/lib/gitlab/import_export/command_line_util_spec.rb
View file @
4e589d36
...
@@ -16,6 +16,10 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil do
...
@@ -16,6 +16,10 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil do
def
initialize
def
initialize
@shared
=
Gitlab
::
ImportExport
::
Shared
.
new
(
nil
)
@shared
=
Gitlab
::
ImportExport
::
Shared
.
new
(
nil
)
end
end
def
execute_download
(
url
)
download
(
url
,
'path'
)
end
end
.
new
end
.
new
end
end
...
@@ -35,4 +39,29 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil do
...
@@ -35,4 +39,29 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil do
it
'has the right mask for uploads'
do
it
'has the right mask for uploads'
do
expect
(
file_permissions
(
"
#{
path
}
/uploads"
)).
to
eq
(
0755
)
# originally 555
expect
(
file_permissions
(
"
#{
path
}
/uploads"
)).
to
eq
(
0755
)
# originally 555
end
end
context
'validates the URL before executing the download'
do
before
do
stub_application_setting
(
allow_local_requests_from_web_hooks_and_services:
false
)
end
it
'raises error when the given URL is blocked'
do
expect
{
subject
.
execute_download
(
'http://localhost:3000/file'
)
}
.
to
raise_error
(
Gitlab
::
UrlBlocker
::
BlockedUrlError
,
'Requests to localhost are not allowed'
)
end
it
'executes the download when the URL is allowed'
do
expect_next_instance_of
(
URI
::
HTTP
)
do
|
uri
|
expect
(
uri
)
.
to
receive
(
:open
)
.
and_return
(
'file content'
)
end
expect
(
IO
)
.
to
receive
(
:copy_stream
)
.
with
(
'file content'
,
instance_of
(
File
))
subject
.
execute_download
(
'http://some.url.remote/file'
)
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment