From 43cc0d5a4ad4464901f700c0a46dbd304c1005c8 Mon Sep 17 00:00:00 2001
From: James Lopez <james@jameslopez.es>
Date: Wed, 5 Dec 2018 09:52:56 +0100
Subject: [PATCH 1/3] Fix persistent symlink in project import

- Fix permissions after untar is done
- Refactor command line util
---
 .../unreleased/security-import-symlink.yml    |   5 +++
 lib/gitlab/import_export/command_line_util.rb |   8 ++--
 spec/fixtures/symlink_export.tar.gz           | Bin 0 -> 435 bytes
 .../import_export/command_line_util_spec.rb   |  38 ++++++++++++++++++
 .../import_export/file_importer_spec.rb       |  13 ++++++
 .../import_export/export_file_helper.rb       |   2 +-
 6 files changed, 62 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/unreleased/security-import-symlink.yml
 create mode 100644 spec/fixtures/symlink_export.tar.gz
 create mode 100644 spec/lib/gitlab/import_export/command_line_util_spec.rb

diff --git a/changelogs/unreleased/security-import-symlink.yml b/changelogs/unreleased/security-import-symlink.yml
new file mode 100644
index 00000000000..fe1b6eccf9e
--- /dev/null
+++ b/changelogs/unreleased/security-import-symlink.yml
@@ -0,0 +1,5 @@
+---
+title: Fix persistent symlink in project import
+merge_request:
+author:
+type: security
diff --git a/lib/gitlab/import_export/command_line_util.rb b/lib/gitlab/import_export/command_line_util.rb
index c9e2a6a78d9..bdecff0931c 100644
--- a/lib/gitlab/import_export/command_line_util.rb
+++ b/lib/gitlab/import_export/command_line_util.rb
@@ -3,7 +3,8 @@
 module Gitlab
   module ImportExport
     module CommandLineUtil
-      DEFAULT_MODE = 0700
+      UNTAR_MASK = 'u+rwX,go+rX,go-w'
+      DEFAULT_DIR_MODE = 0700
 
       def tar_czf(archive:, dir:)
         tar_with_options(archive: archive, dir: dir, options: 'czf')
@@ -14,8 +15,8 @@ module Gitlab
       end
 
       def mkdir_p(path)
-        FileUtils.mkdir_p(path, mode: DEFAULT_MODE)
-        FileUtils.chmod(DEFAULT_MODE, path)
+        FileUtils.mkdir_p(path, mode: DEFAULT_DIR_MODE)
+        FileUtils.chmod(DEFAULT_DIR_MODE, path)
       end
 
       private
@@ -41,6 +42,7 @@ module Gitlab
 
       def untar_with_options(archive:, dir:, options:)
         execute(%W(tar -#{options} #{archive} -C #{dir}))
+        execute(%W(chmod -R #{UNTAR_MASK} #{dir}))
       end
 
       def execute(cmd)
diff --git a/spec/fixtures/symlink_export.tar.gz b/spec/fixtures/symlink_export.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..f295f69c56c3ad2fd717f719bbfb78009a2a79a3
GIT binary patch
literal 435
zcmb2|=3o$LVUJ;8zI<6<<J5UCU%iW`wa%SSUchMp1m@=9442cECEPl2g2k!%=CWs8
zZO7Eu+McnwIjn1HRGg4|XhDL5^z#KxmmW<zqO>4*lTdMR_s12?THfA=mH9t*G0l-v
za@aS!xp85uZCm5dx32E%(wG~s9r@>Z$k@hr->sOaQf04_kJIB9D&2eL*Y{}pzx($d
zpPE+I@%weF!TnX|!^CW5#m=wyv7Gs8`^U#J@2<EC+Ibx>b1NzPmXoVvW%s@NA^+~}
z$D8i&HTkC#`^O?F?w{P>|AO;F`Evj6&+4s7da(V9!{-~h=YNOQ&Htah`;yx^&2Z({
z>!0oW^}FhJ@$Db=)vp5Y{P?4NJ2&@h30p5C*W!mfU%q&A7kv^A?)sXU&Te2oW7e!k
z=l(DF!*uq4+p=Y92ma*eWTYHfkl<ylu6Tgs{Qr(0=TDwFea-v4&Pkv1r}e#-E|XnQ
zp|1I_ace`TVsq2Px-8F4b&g4eg_T^Ucbl2qD*p601sZU<9n_FuU7R4&Llox)GlSP*
Kc{c_P1_l5*FViUi

literal 0
HcmV?d00001

diff --git a/spec/lib/gitlab/import_export/command_line_util_spec.rb b/spec/lib/gitlab/import_export/command_line_util_spec.rb
new file mode 100644
index 00000000000..8e5e0aefac0
--- /dev/null
+++ b/spec/lib/gitlab/import_export/command_line_util_spec.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::ImportExport::CommandLineUtil do
+  include ExportFileHelper
+
+  let(:path) { "#{Dir.tmpdir}/symlink_test" }
+  let(:archive) { 'spec/fixtures/symlink_export.tar.gz' }
+  let(:shared) { Gitlab::ImportExport::Shared.new(nil) }
+
+  subject do
+    Class.new do
+      include Gitlab::ImportExport::CommandLineUtil
+
+      def initialize
+        @shared = Gitlab::ImportExport::Shared.new(nil)
+      end
+    end.new
+  end
+
+  before do
+    FileUtils.mkdir_p(path)
+    subject.untar_zxf(archive: archive, dir: path)
+  end
+
+  after do
+    FileUtils.rm_rf(path)
+  end
+
+  it 'has the right mask for project.json' do
+    expect(file_permissions("#{path}/project.json")).to eq(0755) # originally 777
+  end
+
+  it 'has the right mask for uploads' do
+    expect(file_permissions("#{path}/uploads")).to eq(0755) # originally 555
+  end
+end
diff --git a/spec/lib/gitlab/import_export/file_importer_spec.rb b/spec/lib/gitlab/import_export/file_importer_spec.rb
index bf34cefe18f..fbc9bcd2df5 100644
--- a/spec/lib/gitlab/import_export/file_importer_spec.rb
+++ b/spec/lib/gitlab/import_export/file_importer_spec.rb
@@ -1,6 +1,8 @@
 require 'spec_helper'
 
 describe Gitlab::ImportExport::FileImporter do
+  include ExportFileHelper
+
   let(:shared) { Gitlab::ImportExport::Shared.new(nil) }
   let(:storage_path) { "#{Dir.tmpdir}/file_importer_spec" }
   let(:valid_file) { "#{shared.export_path}/valid.json" }
@@ -8,6 +10,7 @@ describe Gitlab::ImportExport::FileImporter do
   let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
   let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
   let(:evil_symlink_file) { "#{shared.export_path}/.\nevil" }
+  let(:custom_mode_symlink_file) { "#{shared.export_path}/symlink.mode" }
 
   before do
     stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
@@ -45,10 +48,18 @@ describe Gitlab::ImportExport::FileImporter do
       expect(File.exist?(subfolder_symlink_file)).to be false
     end
 
+    it 'removes symlinks without any file permissions' do
+      expect(File.exist?(custom_mode_symlink_file)).to be false
+    end
+
     it 'does not remove a valid file' do
       expect(File.exist?(valid_file)).to be true
     end
 
+    it 'does not change a valid file permissions' do
+      expect(file_permissions(valid_file)).not_to eq(0000)
+    end
+
     it 'creates the file in the right subfolder' do
       expect(shared.export_path).to include('test/abcd')
     end
@@ -84,5 +95,7 @@ describe Gitlab::ImportExport::FileImporter do
     FileUtils.ln_s(valid_file, subfolder_symlink_file)
     FileUtils.ln_s(valid_file, hidden_symlink_file)
     FileUtils.ln_s(valid_file, evil_symlink_file)
+    FileUtils.ln_s(valid_file, custom_mode_symlink_file)
+    FileUtils.chmod_R(0000, custom_mode_symlink_file)
   end
 end
diff --git a/spec/support/import_export/export_file_helper.rb b/spec/support/import_export/export_file_helper.rb
index a49036c3b80..ac320934f5a 100644
--- a/spec/support/import_export/export_file_helper.rb
+++ b/spec/support/import_export/export_file_helper.rb
@@ -133,6 +133,6 @@ module ExportFileHelper
   end
 
   def file_permissions(file)
-    File.stat(file).mode & 0777
+    File.lstat(file).mode & 0777
   end
 end

From 8cea6527225cc128bddf2930b85709b05350a65a Mon Sep 17 00:00:00 2001
From: GitLab Release Tools Bot <robert+release-tools@gitlab.com>
Date: Thu, 20 Dec 2018 16:54:07 +0000
Subject: [PATCH 2/3] Update CHANGELOG.md for 11.5.5

[ci skip]
---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a51ac887aed..08b7a9ecdac 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 11.5.5 (2018-12-20)
+
+### Security (1 change)
+
+- Fix persistent symlink in project import.
+
+
 ## 11.5.3 (2018-12-06)
 
 ### Security (1 change)

From 3f9724f6fe061ba8f86041e3e3afc1aadb5a8478 Mon Sep 17 00:00:00 2001
From: GitLab Release Tools Bot <robert+release-tools@gitlab.com>
Date: Thu, 20 Dec 2018 17:30:20 +0000
Subject: [PATCH 3/3] Update CHANGELOG.md for 11.3.14

[ci skip]
---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 08b7a9ecdac..4b4f8fea31c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -635,6 +635,13 @@ entry.
 - Check frozen string in style builds. (gfyoung)
 
 
+## 11.3.14 (2018-12-20)
+
+### Security (1 change)
+
+- Fix persistent symlink in project import.
+
+
 ## 11.3.13 (2018-12-13)
 
 ### Security (1 change)