Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
d9a96037
Commit
d9a96037
authored
Dec 21, 2018
by
GitLab Bot
Browse files
Options
Browse Files
Download
Plain Diff
Automatic merge of gitlab-org/gitlab-ce master
parents
983b9df9
89b0be14
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
76 additions
and
4 deletions
+76
-4
CHANGELOG.md
CHANGELOG.md
+14
-0
changelogs/unreleased/security-import-symlink.yml
changelogs/unreleased/security-import-symlink.yml
+5
-0
lib/gitlab/import_export/command_line_util.rb
lib/gitlab/import_export/command_line_util.rb
+5
-3
spec/fixtures/symlink_export.tar.gz
spec/fixtures/symlink_export.tar.gz
+0
-0
spec/lib/gitlab/import_export/command_line_util_spec.rb
spec/lib/gitlab/import_export/command_line_util_spec.rb
+38
-0
spec/lib/gitlab/import_export/file_importer_spec.rb
spec/lib/gitlab/import_export/file_importer_spec.rb
+13
-0
spec/support/import_export/export_file_helper.rb
spec/support/import_export/export_file_helper.rb
+1
-1
No files found.
CHANGELOG.md
View file @
d9a96037
...
...
@@ -2,6 +2,13 @@
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
entry.
## 11.5.5 (2018-12-20)
### Security (1 change)
-
Fix persistent symlink in project import.
## 11.5.3 (2018-12-06)
### Security (1 change)
...
...
@@ -628,6 +635,13 @@ entry.
-
Check frozen string in style builds. (gfyoung)
## 11.3.14 (2018-12-20)
### Security (1 change)
-
Fix persistent symlink in project import.
## 11.3.13 (2018-12-13)
### Security (1 change)
...
...
changelogs/unreleased/security-import-symlink.yml
0 → 100644
View file @
d9a96037
---
title
:
Fix persistent symlink in project import
merge_request
:
author
:
type
:
security
lib/gitlab/import_export/command_line_util.rb
View file @
d9a96037
...
...
@@ -3,7 +3,8 @@
module
Gitlab
module
ImportExport
module
CommandLineUtil
DEFAULT_MODE
=
0700
UNTAR_MASK
=
'u+rwX,go+rX,go-w'
DEFAULT_DIR_MODE
=
0700
def
tar_czf
(
archive
:,
dir
:)
tar_with_options
(
archive:
archive
,
dir:
dir
,
options:
'czf'
)
...
...
@@ -14,8 +15,8 @@ module Gitlab
end
def
mkdir_p
(
path
)
FileUtils
.
mkdir_p
(
path
,
mode:
DEFAULT_MODE
)
FileUtils
.
chmod
(
DEFAULT_MODE
,
path
)
FileUtils
.
mkdir_p
(
path
,
mode:
DEFAULT_
DIR_
MODE
)
FileUtils
.
chmod
(
DEFAULT_
DIR_
MODE
,
path
)
end
private
...
...
@@ -41,6 +42,7 @@ module Gitlab
def
untar_with_options
(
archive
:,
dir
:,
options
:)
execute
(
%W(tar -
#{
options
}
#{
archive
}
-C
#{
dir
}
)
)
execute
(
%W(chmod -R
#{
UNTAR_MASK
}
#{
dir
}
)
)
end
def
execute
(
cmd
)
...
...
spec/fixtures/symlink_export.tar.gz
0 → 100644
View file @
d9a96037
File added
spec/lib/gitlab/import_export/command_line_util_spec.rb
0 → 100644
View file @
d9a96037
# frozen_string_literal: true
require
'spec_helper'
describe
Gitlab
::
ImportExport
::
CommandLineUtil
do
include
ExportFileHelper
let
(
:path
)
{
"
#{
Dir
.
tmpdir
}
/symlink_test"
}
let
(
:archive
)
{
'spec/fixtures/symlink_export.tar.gz'
}
let
(
:shared
)
{
Gitlab
::
ImportExport
::
Shared
.
new
(
nil
)
}
subject
do
Class
.
new
do
include
Gitlab
::
ImportExport
::
CommandLineUtil
def
initialize
@shared
=
Gitlab
::
ImportExport
::
Shared
.
new
(
nil
)
end
end
.
new
end
before
do
FileUtils
.
mkdir_p
(
path
)
subject
.
untar_zxf
(
archive:
archive
,
dir:
path
)
end
after
do
FileUtils
.
rm_rf
(
path
)
end
it
'has the right mask for project.json'
do
expect
(
file_permissions
(
"
#{
path
}
/project.json"
)).
to
eq
(
0755
)
# originally 777
end
it
'has the right mask for uploads'
do
expect
(
file_permissions
(
"
#{
path
}
/uploads"
)).
to
eq
(
0755
)
# originally 555
end
end
spec/lib/gitlab/import_export/file_importer_spec.rb
View file @
d9a96037
require
'spec_helper'
describe
Gitlab
::
ImportExport
::
FileImporter
do
include
ExportFileHelper
let
(
:shared
)
{
Gitlab
::
ImportExport
::
Shared
.
new
(
nil
)
}
let
(
:storage_path
)
{
"
#{
Dir
.
tmpdir
}
/file_importer_spec"
}
let
(
:valid_file
)
{
"
#{
shared
.
export_path
}
/valid.json"
}
...
...
@@ -8,6 +10,7 @@ describe Gitlab::ImportExport::FileImporter do
let
(
:hidden_symlink_file
)
{
"
#{
shared
.
export_path
}
/.hidden"
}
let
(
:subfolder_symlink_file
)
{
"
#{
shared
.
export_path
}
/subfolder/invalid.json"
}
let
(
:evil_symlink_file
)
{
"
#{
shared
.
export_path
}
/.
\n
evil"
}
let
(
:custom_mode_symlink_file
)
{
"
#{
shared
.
export_path
}
/symlink.mode"
}
before
do
stub_const
(
'Gitlab::ImportExport::FileImporter::MAX_RETRIES'
,
0
)
...
...
@@ -45,10 +48,18 @@ describe Gitlab::ImportExport::FileImporter do
expect
(
File
.
exist?
(
subfolder_symlink_file
)).
to
be
false
end
it
'removes symlinks without any file permissions'
do
expect
(
File
.
exist?
(
custom_mode_symlink_file
)).
to
be
false
end
it
'does not remove a valid file'
do
expect
(
File
.
exist?
(
valid_file
)).
to
be
true
end
it
'does not change a valid file permissions'
do
expect
(
file_permissions
(
valid_file
)).
not_to
eq
(
0000
)
end
it
'creates the file in the right subfolder'
do
expect
(
shared
.
export_path
).
to
include
(
'test/abcd'
)
end
...
...
@@ -84,5 +95,7 @@ describe Gitlab::ImportExport::FileImporter do
FileUtils
.
ln_s
(
valid_file
,
subfolder_symlink_file
)
FileUtils
.
ln_s
(
valid_file
,
hidden_symlink_file
)
FileUtils
.
ln_s
(
valid_file
,
evil_symlink_file
)
FileUtils
.
ln_s
(
valid_file
,
custom_mode_symlink_file
)
FileUtils
.
chmod_R
(
0000
,
custom_mode_symlink_file
)
end
end
spec/support/import_export/export_file_helper.rb
View file @
d9a96037
...
...
@@ -133,6 +133,6 @@ module ExportFileHelper
end
def
file_permissions
(
file
)
File
.
stat
(
file
).
mode
&
0777
File
.
l
stat
(
file
).
mode
&
0777
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment