Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq
This commit is contained in:
commit
89b0be149e
7 changed files with 76 additions and 4 deletions
14
CHANGELOG.md
14
CHANGELOG.md
|
@ -2,6 +2,13 @@
|
||||||
documentation](doc/development/changelog.md) for instructions on adding your own
|
documentation](doc/development/changelog.md) for instructions on adding your own
|
||||||
entry.
|
entry.
|
||||||
|
|
||||||
|
## 11.5.5 (2018-12-20)
|
||||||
|
|
||||||
|
### Security (1 change)
|
||||||
|
|
||||||
|
- Fix persistent symlink in project import.
|
||||||
|
|
||||||
|
|
||||||
## 11.5.3 (2018-12-06)
|
## 11.5.3 (2018-12-06)
|
||||||
|
|
||||||
### Security (1 change)
|
### Security (1 change)
|
||||||
|
@ -628,6 +635,13 @@ entry.
|
||||||
- Check frozen string in style builds. (gfyoung)
|
- Check frozen string in style builds. (gfyoung)
|
||||||
|
|
||||||
|
|
||||||
|
## 11.3.14 (2018-12-20)
|
||||||
|
|
||||||
|
### Security (1 change)
|
||||||
|
|
||||||
|
- Fix persistent symlink in project import.
|
||||||
|
|
||||||
|
|
||||||
## 11.3.13 (2018-12-13)
|
## 11.3.13 (2018-12-13)
|
||||||
|
|
||||||
### Security (1 change)
|
### Security (1 change)
|
||||||
|
|
5
changelogs/unreleased/security-import-symlink.yml
Normal file
5
changelogs/unreleased/security-import-symlink.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Fix persistent symlink in project import
|
||||||
|
merge_request:
|
||||||
|
author:
|
||||||
|
type: security
|
|
@ -3,7 +3,8 @@
|
||||||
module Gitlab
|
module Gitlab
|
||||||
module ImportExport
|
module ImportExport
|
||||||
module CommandLineUtil
|
module CommandLineUtil
|
||||||
DEFAULT_MODE = 0700
|
UNTAR_MASK = 'u+rwX,go+rX,go-w'
|
||||||
|
DEFAULT_DIR_MODE = 0700
|
||||||
|
|
||||||
def tar_czf(archive:, dir:)
|
def tar_czf(archive:, dir:)
|
||||||
tar_with_options(archive: archive, dir: dir, options: 'czf')
|
tar_with_options(archive: archive, dir: dir, options: 'czf')
|
||||||
|
@ -14,8 +15,8 @@ module Gitlab
|
||||||
end
|
end
|
||||||
|
|
||||||
def mkdir_p(path)
|
def mkdir_p(path)
|
||||||
FileUtils.mkdir_p(path, mode: DEFAULT_MODE)
|
FileUtils.mkdir_p(path, mode: DEFAULT_DIR_MODE)
|
||||||
FileUtils.chmod(DEFAULT_MODE, path)
|
FileUtils.chmod(DEFAULT_DIR_MODE, path)
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
@ -41,6 +42,7 @@ module Gitlab
|
||||||
|
|
||||||
def untar_with_options(archive:, dir:, options:)
|
def untar_with_options(archive:, dir:, options:)
|
||||||
execute(%W(tar -#{options} #{archive} -C #{dir}))
|
execute(%W(tar -#{options} #{archive} -C #{dir}))
|
||||||
|
execute(%W(chmod -R #{UNTAR_MASK} #{dir}))
|
||||||
end
|
end
|
||||||
|
|
||||||
def execute(cmd)
|
def execute(cmd)
|
||||||
|
|
BIN
spec/fixtures/symlink_export.tar.gz
vendored
Normal file
BIN
spec/fixtures/symlink_export.tar.gz
vendored
Normal file
Binary file not shown.
38
spec/lib/gitlab/import_export/command_line_util_spec.rb
Normal file
38
spec/lib/gitlab/import_export/command_line_util_spec.rb
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
describe Gitlab::ImportExport::CommandLineUtil do
|
||||||
|
include ExportFileHelper
|
||||||
|
|
||||||
|
let(:path) { "#{Dir.tmpdir}/symlink_test" }
|
||||||
|
let(:archive) { 'spec/fixtures/symlink_export.tar.gz' }
|
||||||
|
let(:shared) { Gitlab::ImportExport::Shared.new(nil) }
|
||||||
|
|
||||||
|
subject do
|
||||||
|
Class.new do
|
||||||
|
include Gitlab::ImportExport::CommandLineUtil
|
||||||
|
|
||||||
|
def initialize
|
||||||
|
@shared = Gitlab::ImportExport::Shared.new(nil)
|
||||||
|
end
|
||||||
|
end.new
|
||||||
|
end
|
||||||
|
|
||||||
|
before do
|
||||||
|
FileUtils.mkdir_p(path)
|
||||||
|
subject.untar_zxf(archive: archive, dir: path)
|
||||||
|
end
|
||||||
|
|
||||||
|
after do
|
||||||
|
FileUtils.rm_rf(path)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'has the right mask for project.json' do
|
||||||
|
expect(file_permissions("#{path}/project.json")).to eq(0755) # originally 777
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'has the right mask for uploads' do
|
||||||
|
expect(file_permissions("#{path}/uploads")).to eq(0755) # originally 555
|
||||||
|
end
|
||||||
|
end
|
|
@ -1,6 +1,8 @@
|
||||||
require 'spec_helper'
|
require 'spec_helper'
|
||||||
|
|
||||||
describe Gitlab::ImportExport::FileImporter do
|
describe Gitlab::ImportExport::FileImporter do
|
||||||
|
include ExportFileHelper
|
||||||
|
|
||||||
let(:shared) { Gitlab::ImportExport::Shared.new(nil) }
|
let(:shared) { Gitlab::ImportExport::Shared.new(nil) }
|
||||||
let(:storage_path) { "#{Dir.tmpdir}/file_importer_spec" }
|
let(:storage_path) { "#{Dir.tmpdir}/file_importer_spec" }
|
||||||
let(:valid_file) { "#{shared.export_path}/valid.json" }
|
let(:valid_file) { "#{shared.export_path}/valid.json" }
|
||||||
|
@ -8,6 +10,7 @@ describe Gitlab::ImportExport::FileImporter do
|
||||||
let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
|
let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
|
||||||
let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
|
let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
|
||||||
let(:evil_symlink_file) { "#{shared.export_path}/.\nevil" }
|
let(:evil_symlink_file) { "#{shared.export_path}/.\nevil" }
|
||||||
|
let(:custom_mode_symlink_file) { "#{shared.export_path}/symlink.mode" }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
|
stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
|
||||||
|
@ -45,10 +48,18 @@ describe Gitlab::ImportExport::FileImporter do
|
||||||
expect(File.exist?(subfolder_symlink_file)).to be false
|
expect(File.exist?(subfolder_symlink_file)).to be false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'removes symlinks without any file permissions' do
|
||||||
|
expect(File.exist?(custom_mode_symlink_file)).to be false
|
||||||
|
end
|
||||||
|
|
||||||
it 'does not remove a valid file' do
|
it 'does not remove a valid file' do
|
||||||
expect(File.exist?(valid_file)).to be true
|
expect(File.exist?(valid_file)).to be true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'does not change a valid file permissions' do
|
||||||
|
expect(file_permissions(valid_file)).not_to eq(0000)
|
||||||
|
end
|
||||||
|
|
||||||
it 'creates the file in the right subfolder' do
|
it 'creates the file in the right subfolder' do
|
||||||
expect(shared.export_path).to include('test/abcd')
|
expect(shared.export_path).to include('test/abcd')
|
||||||
end
|
end
|
||||||
|
@ -84,5 +95,7 @@ describe Gitlab::ImportExport::FileImporter do
|
||||||
FileUtils.ln_s(valid_file, subfolder_symlink_file)
|
FileUtils.ln_s(valid_file, subfolder_symlink_file)
|
||||||
FileUtils.ln_s(valid_file, hidden_symlink_file)
|
FileUtils.ln_s(valid_file, hidden_symlink_file)
|
||||||
FileUtils.ln_s(valid_file, evil_symlink_file)
|
FileUtils.ln_s(valid_file, evil_symlink_file)
|
||||||
|
FileUtils.ln_s(valid_file, custom_mode_symlink_file)
|
||||||
|
FileUtils.chmod_R(0000, custom_mode_symlink_file)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -133,6 +133,6 @@ module ExportFileHelper
|
||||||
end
|
end
|
||||||
|
|
||||||
def file_permissions(file)
|
def file_permissions(file)
|
||||||
File.stat(file).mode & 0777
|
File.lstat(file).mode & 0777
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue