Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq into jivl-dev-master-into-com-master

2018-07-17 17:27:44 -05:00 · 2018-07-17 17:27:44 -05:00 · df04160884
parent 489025bbdd 465da1c7b4
commit df04160884
4 changed files with 36 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.

+## 11.0.4 (2018-07-17)
+
+### Security (1 change)
+
+- Fix symlink vulnerability in project import.
+
+
 ## 11.0.3 (2018-07-05)

 ### Fixed (14 changes, 1 of them is from the community)
@ -295,6 +302,14 @@ entry.
 - Workhorse to send raw diff and patch for commits.


+## 10.8.6 (2018-07-17)
+
+### Security (2 changes)
+
+- Fix symlink vulnerability in project import.
+- Merge branch 'fix-mr-widget-border' into 'master'.
+
+
 ## 10.8.5 (2018-06-21)

 ### Security (5 changes)
@ -524,6 +539,13 @@ entry.
 - Gitaly handles repository forks by default.


+## 10.7.7 (2018-07-17)
+
+### Security (1 change)
+
+- Fix symlink vulnerability in project import.
+
+
 ## 10.7.6 (2018-06-21)

 ### Security (6 changes)
--- a/changelogs/unreleased/sh-fix-issue-49133.yml
+++ b/changelogs/unreleased/sh-fix-issue-49133.yml
@ -0,0 +1,5 @@
+---
+title: Fix symlink vulnerability in project import
+merge_request:
+author:
+type: security
--- a/lib/gitlab/import_export/file_importer.rb
+++ b/lib/gitlab/import_export/file_importer.rb
@ -4,6 +4,7 @@ module Gitlab
      include Gitlab::ImportExport::CommandLineUtil

      MAX_RETRIES = 8
+      IGNORED_FILENAMES = %w(. ..).freeze

      def self.import(*args)
        new(*args).import
@ -59,7 +60,7 @@ module Gitlab
      end

      def extracted_files
-        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ %r{.*/\.{1,2}$} }
+        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| IGNORED_FILENAMES.include?(File.basename(f)) }
      end
    end
  end
--- a/spec/lib/gitlab/import_export/file_importer_spec.rb
+++ b/spec/lib/gitlab/import_export/file_importer_spec.rb
@ -7,6 +7,7 @@ describe Gitlab::ImportExport::FileImporter do
  let(:symlink_file) { "#{shared.export_path}/invalid.json" }
  let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
  let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
+  let(:evil_symlink_file) { "#{shared.export_path}/.\nevil" }

  before do
    stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
@ -34,6 +35,10 @@ describe Gitlab::ImportExport::FileImporter do
      expect(File.exist?(hidden_symlink_file)).to be false
    end

+    it 'removes evil symlinks in root folder' do
+      expect(File.exist?(evil_symlink_file)).to be false
+    end
+
    it 'removes symlinks in subfolders' do
      expect(File.exist?(subfolder_symlink_file)).to be false
    end
@ -75,5 +80,7 @@ describe Gitlab::ImportExport::FileImporter do
    FileUtils.touch(valid_file)
    FileUtils.ln_s(valid_file, symlink_file)
    FileUtils.ln_s(valid_file, subfolder_symlink_file)
+    FileUtils.ln_s(valid_file, hidden_symlink_file)
+    FileUtils.ln_s(valid_file, evil_symlink_file)
  end
 end