Support only valid UTF-8 paths in build artifacts browser
This commit is contained in:
parent
ffee05c242
commit
2be76355ca
|
@ -10,7 +10,8 @@ module Gitlab
|
|||
attr_reader :file, :path, :full_version
|
||||
|
||||
def initialize(file, path)
|
||||
@file, @path = file, path
|
||||
@file = file
|
||||
@path = path.force_encoding('ASCII-8BIT')
|
||||
@full_version = read_version
|
||||
end
|
||||
|
||||
|
@ -42,7 +43,7 @@ module Gitlab
|
|||
|
||||
def match_entries(gz)
|
||||
paths, metadata = [], []
|
||||
match_pattern = %r{^#{Regexp.escape(@path)}[^/\s]*/?$}
|
||||
match_pattern = %r{^#{Regexp.escape(@path)}[^/]*/?$}
|
||||
invalid_pattern = %r{(^\.?\.?/)|(/\.?\.?/)}
|
||||
|
||||
until gz.eof? do
|
||||
|
@ -51,11 +52,12 @@ module Gitlab
|
|||
meta = read_string(gz)
|
||||
|
||||
next unless path =~ match_pattern
|
||||
next unless path.force_encoding('UTF-8').valid_encoding?
|
||||
next if path =~ invalid_pattern
|
||||
|
||||
paths.push(path)
|
||||
metadata.push(JSON.parse(meta.chomp, symbolize_names: true))
|
||||
rescue JSON::ParserError
|
||||
rescue JSON::ParserError, Encoding::CompatibilityError
|
||||
next
|
||||
end
|
||||
end
|
||||
|
|
|
@ -8,18 +8,24 @@ module Gitlab
|
|||
# This is IO-operations safe class, that does similar job to
|
||||
# Ruby's Pathname but without the risk of accessing filesystem.
|
||||
#
|
||||
# This class is working only with UTF-8 encoded paths.
|
||||
#
|
||||
class Path
|
||||
attr_reader :path, :universe
|
||||
attr_accessor :name
|
||||
|
||||
def initialize(path, universe, metadata = [])
|
||||
@path = path
|
||||
@path = path.force_encoding('UTF-8')
|
||||
@universe = universe
|
||||
@metadata = metadata
|
||||
|
||||
if path.include?("\0")
|
||||
raise ArgumentError, 'Path contains zero byte character!'
|
||||
end
|
||||
|
||||
unless path.valid_encoding?
|
||||
raise ArgumentError, 'Path contains non-UTF-8 byte sequence!'
|
||||
end
|
||||
end
|
||||
|
||||
def directory?
|
||||
|
@ -51,7 +57,7 @@ module Gitlab
|
|||
return [] unless directory?
|
||||
return @children if @children
|
||||
|
||||
child_pattern = %r{^#{Regexp.escape(@path)}[^/\s]+/?$}
|
||||
child_pattern = %r{^#{Regexp.escape(@path)}[^/]+/?$}
|
||||
@children = select { |entry| entry =~ child_pattern }
|
||||
end
|
||||
|
||||
|
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue