Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq into jivl-dev-master-into-com-master
This commit is contained in:
commit
df04160884
4 changed files with 36 additions and 1 deletions
22
CHANGELOG.md
22
CHANGELOG.md
|
@ -2,6 +2,13 @@
|
|||
documentation](doc/development/changelog.md) for instructions on adding your own
|
||||
entry.
|
||||
|
||||
## 11.0.4 (2018-07-17)
|
||||
|
||||
### Security (1 change)
|
||||
|
||||
- Fix symlink vulnerability in project import.
|
||||
|
||||
|
||||
## 11.0.3 (2018-07-05)
|
||||
|
||||
### Fixed (14 changes, 1 of them is from the community)
|
||||
|
@ -295,6 +302,14 @@ entry.
|
|||
- Workhorse to send raw diff and patch for commits.
|
||||
|
||||
|
||||
## 10.8.6 (2018-07-17)
|
||||
|
||||
### Security (2 changes)
|
||||
|
||||
- Fix symlink vulnerability in project import.
|
||||
- Merge branch 'fix-mr-widget-border' into 'master'.
|
||||
|
||||
|
||||
## 10.8.5 (2018-06-21)
|
||||
|
||||
### Security (5 changes)
|
||||
|
@ -524,6 +539,13 @@ entry.
|
|||
- Gitaly handles repository forks by default.
|
||||
|
||||
|
||||
## 10.7.7 (2018-07-17)
|
||||
|
||||
### Security (1 change)
|
||||
|
||||
- Fix symlink vulnerability in project import.
|
||||
|
||||
|
||||
## 10.7.6 (2018-06-21)
|
||||
|
||||
### Security (6 changes)
|
||||
|
|
5
changelogs/unreleased/sh-fix-issue-49133.yml
Normal file
5
changelogs/unreleased/sh-fix-issue-49133.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Fix symlink vulnerability in project import
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -4,6 +4,7 @@ module Gitlab
|
|||
include Gitlab::ImportExport::CommandLineUtil
|
||||
|
||||
MAX_RETRIES = 8
|
||||
IGNORED_FILENAMES = %w(. ..).freeze
|
||||
|
||||
def self.import(*args)
|
||||
new(*args).import
|
||||
|
@ -59,7 +60,7 @@ module Gitlab
|
|||
end
|
||||
|
||||
def extracted_files
|
||||
Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ %r{.*/\.{1,2}$} }
|
||||
Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| IGNORED_FILENAMES.include?(File.basename(f)) }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -7,6 +7,7 @@ describe Gitlab::ImportExport::FileImporter do
|
|||
let(:symlink_file) { "#{shared.export_path}/invalid.json" }
|
||||
let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
|
||||
let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
|
||||
let(:evil_symlink_file) { "#{shared.export_path}/.\nevil" }
|
||||
|
||||
before do
|
||||
stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
|
||||
|
@ -34,6 +35,10 @@ describe Gitlab::ImportExport::FileImporter do
|
|||
expect(File.exist?(hidden_symlink_file)).to be false
|
||||
end
|
||||
|
||||
it 'removes evil symlinks in root folder' do
|
||||
expect(File.exist?(evil_symlink_file)).to be false
|
||||
end
|
||||
|
||||
it 'removes symlinks in subfolders' do
|
||||
expect(File.exist?(subfolder_symlink_file)).to be false
|
||||
end
|
||||
|
@ -75,5 +80,7 @@ describe Gitlab::ImportExport::FileImporter do
|
|||
FileUtils.touch(valid_file)
|
||||
FileUtils.ln_s(valid_file, symlink_file)
|
||||
FileUtils.ln_s(valid_file, subfolder_symlink_file)
|
||||
FileUtils.ln_s(valid_file, hidden_symlink_file)
|
||||
FileUtils.ln_s(valid_file, evil_symlink_file)
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue