Use Gitlab::HTTP in download method

Use Gitlab::HTTP for ImportExport::CommandUtil to validate the fetch url against localhost downloads. Changelog: changed

Use Gitlab::HTTP in download method
Use Gitlab::HTTP for ImportExport::CommandUtil to validate the fetch url against localhost downloads. Changelog: changed
e225ad3e · Igor Frenkel · 40cdc406 · e225ad3e · e225ad3e
Commit e225ad3e authored Oct 17, 2021 by Igor Frenkel
Showing with 57 additions and 3 deletions

lib/gitlab/import_export/command_line_util.rb lib/gitlab/import_export/command_line_util.rb +13 -3

spec/lib/gitlab/import_export/command_line_util_spec.rb spec/lib/gitlab/import_export/command_line_util_spec.rb +44 -0

No files found.
--- a/lib/gitlab/import_export/command_line_util.rb
+++ b/lib/gitlab/import_export/command_line_util.rb
@@ -56,10 +56,20 @@ module Gitlab
      end

      def download(url, upload_path)
-        File.open(upload_path, 'w') do |file|
-          # Download (stream) file from the uploader's location
-          IO.copy_stream(URI.parse(url).open, file)
+        File.open(upload_path, 'wb') do |file|
+          Gitlab::HTTP.get(url, stream_body: true) do |fragment|
+            if [301, 302, 307].include?(fragment.code)
+              Gitlab::Import::Logger.warn(message: "received redirect fragment", fragment_code: fragment.code)
+            elsif fragment.code == 200
+              file.write(fragment)
+            else
+              raise Gitlab::ImportExport::Error, "unsupported response downloading fragment #{fragment.code}"
+            end
+          end
        end
+      rescue StandardError => e
+        @shared.error(e) # rubocop:disable Gitlab/ModuleWithInstanceVariables
+        raise e
      end

      def tar_with_options(archive:, dir:, options:)

--- a/spec/lib/gitlab/import_export/command_line_util_spec.rb
+++ b/spec/lib/gitlab/import_export/command_line_util_spec.rb
@@ -17,6 +17,10 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil do
      def initialize
        @shared = Gitlab::ImportExport::Shared.new(nil)
      end
+
+      def download(url, upload_path)
+        super(url, upload_path)
+      end
    end.new
  end

@@ -101,4 +105,44 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil do
      end
    end
  end
+
+  describe '#download' do
+    before do
+      stub_request(:get, loc)
+        .to_return(
+          status: 200,
+          body: content
+        )
+    end
+
+    context 'a non-localhost uri' do
+      let(:loc) { 'https://gitlab.com' }
+      let(:content) { File.open('spec/fixtures/rails_sample.tif') }
+
+      it 'gets the contents' do
+        Tempfile.create("foo") do |f|
+          subject.download(loc, f.path)
+          expect(f.read).to eq(File.open('spec/fixtures/rails_sample.tif').read)
+        end
+      end
+
+      it 'streams the contents' do
+        expect(Gitlab::HTTP).to receive(:get).with(loc, hash_including(stream_body: true))
+        Tempfile.create("foo") do |f|
+          subject.download(loc, f.path)
+        end
+      end
+    end
+
+    context 'a localhost uri' do
+      let(:loc) { 'https://localhost:8081/foo/bar' }
+      let(:content) { 'foo' }
+
+      it 'throws a blocked url error' do
+        Tempfile.create("foo") do |f|
+          expect { subject.download(loc, f.path) }.to raise_error(Gitlab::HTTP::BlockedUrlError)
+        end
+      end
+    end
+  end
 end