Merge branch 'sh-fix-issue-49133-11-1-stable' into 'security-11-1'

Fix symlink vulnerability in project import See merge request gitlab/gitlabhq!2435

Merge branch 'sh-fix-issue-49133-11-1-stable' into 'security-11-1'
Fix symlink vulnerability in project import See merge request gitlab/gitlabhq!2435
7df7b3be · Dmitriy Zaporozhets · Alessio Caiazza · 03655698 · 7df7b3be · 7df7b3be
Commit 7df7b3be authored Jul 16, 2018 by Dmitriy Zaporozhets Committed by Alessio Caiazza Jul 17, 2018
3 changed files
--- a/changelogs/unreleased/sh-fix-issue-49133-11-1-stable.yml
+++ b/changelogs/unreleased/sh-fix-issue-49133-11-1-stable.yml
+---
+title: Fix symlink vulnerability in project import
+merge_request:
+author:
+type: security
--- a/lib/gitlab/import_export/file_importer.rb
+++ b/lib/gitlab/import_export/file_importer.rb
@@ -4,6 +4,7 @@ module Gitlab
      include Gitlab::ImportExport::CommandLineUtil

      MAX_RETRIES = 8
+      IGNORED_FILENAMES = %w(. ..).freeze

      def self.import(*args)
        new(*args).import
@@ -59,7 +60,7 @@ module Gitlab
      end

      def extracted_files
-        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ %r{.*/\.{1,2}$} }
+        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| IGNORED_FILENAMES.include?(File.basename(f)) }
      end
    end
  end

--- a/spec/lib/gitlab/import_export/file_importer_spec.rb
+++ b/spec/lib/gitlab/import_export/file_importer_spec.rb
@@ -7,6 +7,7 @@ describe Gitlab::ImportExport::FileImporter do
  let(:symlink_file) { "#{shared.export_path}/invalid.json" }
  let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
  let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
+  let(:evil_symlink_file) { "#{shared.export_path}/.\nevil" }

  before do
    stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
@@ -34,6 +35,10 @@ describe Gitlab::ImportExport::FileImporter do
      expect(File.exist?(hidden_symlink_file)).to be false
    end

+    it 'removes evil symlinks in root folder' do
+      expect(File.exist?(evil_symlink_file)).to be false
+    end
+
    it 'removes symlinks in subfolders' do
      expect(File.exist?(subfolder_symlink_file)).to be false
    end
@@ -75,5 +80,7 @@ describe Gitlab::ImportExport::FileImporter do
    FileUtils.touch(valid_file)
    FileUtils.ln_s(valid_file, symlink_file)
    FileUtils.ln_s(valid_file, subfolder_symlink_file)
+    FileUtils.ln_s(valid_file, hidden_symlink_file)
+    FileUtils.ln_s(valid_file, evil_symlink_file)
  end
 end