Merge branch 'jivl-dev-master-into-com-master' into 'master'
Merge dev master to CE .com master as part of the security release process Closes #49133 See merge request gitlab-org/gitlab-ce!20681
This commit is contained in:
commit
9bdc9b1ae6
22
CHANGELOG.md
22
CHANGELOG.md
|
@ -2,6 +2,13 @@
|
|||
documentation](doc/development/changelog.md) for instructions on adding your own
|
||||
entry.
|
||||
|
||||
## 11.0.4 (2018-07-17)
|
||||
|
||||
### Security (1 change)
|
||||
|
||||
- Fix symlink vulnerability in project import.
|
||||
|
||||
|
||||
## 11.0.3 (2018-07-05)
|
||||
|
||||
### Fixed (14 changes, 1 of them is from the community)
|
||||
|
@ -295,6 +302,14 @@ entry.
|
|||
- Workhorse to send raw diff and patch for commits.
|
||||
|
||||
|
||||
## 10.8.6 (2018-07-17)
|
||||
|
||||
### Security (2 changes)
|
||||
|
||||
- Fix symlink vulnerability in project import.
|
||||
- Merge branch 'fix-mr-widget-border' into 'master'.
|
||||
|
||||
|
||||
## 10.8.5 (2018-06-21)
|
||||
|
||||
### Security (5 changes)
|
||||
|
@ -524,6 +539,13 @@ entry.
|
|||
- Gitaly handles repository forks by default.
|
||||
|
||||
|
||||
## 10.7.7 (2018-07-17)
|
||||
|
||||
### Security (1 change)
|
||||
|
||||
- Fix symlink vulnerability in project import.
|
||||
|
||||
|
||||
## 10.7.6 (2018-06-21)
|
||||
|
||||
### Security (6 changes)
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Fix symlink vulnerability in project import
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -4,6 +4,7 @@ module Gitlab
|
|||
include Gitlab::ImportExport::CommandLineUtil
|
||||
|
||||
MAX_RETRIES = 8
|
||||
IGNORED_FILENAMES = %w(. ..).freeze
|
||||
|
||||
def self.import(*args)
|
||||
new(*args).import
|
||||
|
@ -59,7 +60,7 @@ module Gitlab
|
|||
end
|
||||
|
||||
def extracted_files
|
||||
Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ %r{.*/\.{1,2}$} }
|
||||
Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| IGNORED_FILENAMES.include?(File.basename(f)) }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -7,6 +7,7 @@ describe Gitlab::ImportExport::FileImporter do
|
|||
let(:symlink_file) { "#{shared.export_path}/invalid.json" }
|
||||
let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
|
||||
let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
|
||||
let(:evil_symlink_file) { "#{shared.export_path}/.\nevil" }
|
||||
|
||||
before do
|
||||
stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
|
||||
|
@ -34,6 +35,10 @@ describe Gitlab::ImportExport::FileImporter do
|
|||
expect(File.exist?(hidden_symlink_file)).to be false
|
||||
end
|
||||
|
||||
it 'removes evil symlinks in root folder' do
|
||||
expect(File.exist?(evil_symlink_file)).to be false
|
||||
end
|
||||
|
||||
it 'removes symlinks in subfolders' do
|
||||
expect(File.exist?(subfolder_symlink_file)).to be false
|
||||
end
|
||||
|
@ -75,5 +80,7 @@ describe Gitlab::ImportExport::FileImporter do
|
|||
FileUtils.touch(valid_file)
|
||||
FileUtils.ln_s(valid_file, symlink_file)
|
||||
FileUtils.ln_s(valid_file, subfolder_symlink_file)
|
||||
FileUtils.ln_s(valid_file, hidden_symlink_file)
|
||||
FileUtils.ln_s(valid_file, evil_symlink_file)
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue