Don't leak information about private project existence via Git-over-SSH/HTTP.
This commit is contained in:
parent
039fd3c562
commit
dd37a10df4
|
@ -16,6 +16,17 @@ module API
|
|||
#
|
||||
post "/allowed" do
|
||||
status 200
|
||||
|
||||
actor = if params[:key_id]
|
||||
Key.find_by(id: params[:key_id])
|
||||
elsif params[:user_id]
|
||||
User.find_by(id: params[:user_id])
|
||||
end
|
||||
|
||||
unless actor
|
||||
return Gitlab::GitAccessStatus.new(false, 'No such user or key')
|
||||
end
|
||||
|
||||
project_path = params[:project]
|
||||
|
||||
# Check for *.wiki repositories.
|
||||
|
@ -32,26 +43,20 @@ module API
|
|||
|
||||
project = Project.find_with_namespace(project_path)
|
||||
|
||||
unless project
|
||||
return Gitlab::GitAccessStatus.new(false, 'No such project')
|
||||
if project
|
||||
status = access.check(
|
||||
actor,
|
||||
params[:action],
|
||||
project,
|
||||
params[:changes]
|
||||
)
|
||||
end
|
||||
|
||||
actor = if params[:key_id]
|
||||
Key.find_by(id: params[:key_id])
|
||||
elsif params[:user_id]
|
||||
User.find_by(id: params[:user_id])
|
||||
end
|
||||
|
||||
unless actor
|
||||
return Gitlab::GitAccessStatus.new(false, 'No such user or key')
|
||||
if project && status && status.allowed?
|
||||
status
|
||||
else
|
||||
Gitlab::GitAccessStatus.new(false, 'No such project')
|
||||
end
|
||||
|
||||
access.check(
|
||||
actor,
|
||||
params[:action],
|
||||
project,
|
||||
params[:changes]
|
||||
)
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -10,8 +10,9 @@ module Grack
|
|||
@request = Rack::Request.new(env)
|
||||
@auth = Request.new(env)
|
||||
|
||||
# Need this patch due to the rails mount
|
||||
@gitlab_ci = false
|
||||
|
||||
# Need this patch due to the rails mount
|
||||
# Need this if under RELATIVE_URL_ROOT
|
||||
unless Gitlab.config.gitlab.relative_url_root.empty?
|
||||
# If website is mounted using relative_url_root need to remove it first
|
||||
|
@ -22,8 +23,12 @@ module Grack
|
|||
|
||||
@env['SCRIPT_NAME'] = ""
|
||||
|
||||
if project
|
||||
auth!
|
||||
auth!
|
||||
|
||||
if project && authorized_request?
|
||||
@app.call(env)
|
||||
elsif @user.nil? && !@gitlab_ci
|
||||
unauthorized
|
||||
else
|
||||
render_not_found
|
||||
end
|
||||
|
@ -32,35 +37,30 @@ module Grack
|
|||
private
|
||||
|
||||
def auth!
|
||||
if @auth.provided?
|
||||
return bad_request unless @auth.basic?
|
||||
return unless @auth.provided?
|
||||
|
||||
# Authentication with username and password
|
||||
login, password = @auth.credentials
|
||||
return bad_request unless @auth.basic?
|
||||
|
||||
# Allow authentication for GitLab CI service
|
||||
# if valid token passed
|
||||
if gitlab_ci_request?(login, password)
|
||||
return @app.call(env)
|
||||
end
|
||||
# Authentication with username and password
|
||||
login, password = @auth.credentials
|
||||
|
||||
@user = authenticate_user(login, password)
|
||||
|
||||
if @user
|
||||
Gitlab::ShellEnv.set_env(@user)
|
||||
@env['REMOTE_USER'] = @auth.username
|
||||
end
|
||||
# Allow authentication for GitLab CI service
|
||||
# if valid token passed
|
||||
if gitlab_ci_request?(login, password)
|
||||
@gitlab_ci = true
|
||||
return
|
||||
end
|
||||
|
||||
if authorized_request?
|
||||
@app.call(env)
|
||||
else
|
||||
unauthorized
|
||||
@user = authenticate_user(login, password)
|
||||
|
||||
if @user
|
||||
Gitlab::ShellEnv.set_env(@user)
|
||||
@env['REMOTE_USER'] = @auth.username
|
||||
end
|
||||
end
|
||||
|
||||
def gitlab_ci_request?(login, password)
|
||||
if login == "gitlab-ci-token" && project.gitlab_ci?
|
||||
if login == "gitlab-ci-token" && project && project.gitlab_ci?
|
||||
token = project.gitlab_ci_service.token
|
||||
|
||||
if token.present? && token == password && git_cmd == 'git-upload-pack'
|
||||
|
@ -107,6 +107,8 @@ module Grack
|
|||
end
|
||||
|
||||
def authorized_request?
|
||||
return true if @gitlab_ci
|
||||
|
||||
case git_cmd
|
||||
when *Gitlab::GitAccess::DOWNLOAD_COMMANDS
|
||||
if user
|
||||
|
@ -141,7 +143,9 @@ module Grack
|
|||
end
|
||||
|
||||
def project
|
||||
@project ||= project_by_path(@request.path_info)
|
||||
return @project if defined?(@project)
|
||||
|
||||
@project = project_by_path(@request.path_info)
|
||||
end
|
||||
|
||||
def project_by_path(path)
|
||||
|
|
Loading…
Reference in New Issue