Support only valid UTF-8 paths in build artifacts browser

2be76355 · Grzegorz Bizon · ffee05c2 · 2be76355 · 2be76355 · 2be76355
Commit 2be76355 authored Jan 12, 2016 by Grzegorz Bizon
4 changed files
--- a/lib/gitlab/ci/build/artifacts/metadata.rb
+++ b/lib/gitlab/ci/build/artifacts/metadata.rb
@@ -10,7 +10,8 @@ module Gitlab
          attr_reader :file, :path, :full_version
          def initialize(file, path)
-            @file, @path = file, path
+            @file = file
+            @path = path.force_encoding('ASCII-8BIT')
            @full_version = read_version
          end
@@ -42,7 +43,7 @@ module Gitlab
          def match_entries(gz)
            paths, metadata = [], []
-            match_pattern = %r{^#{Regexp.escape(@path)}[^/\s]*/?$}
+            match_pattern = %r{^#{Regexp.escape(@path)}[^/]*/?$}
            invalid_pattern = %r{(^\.?\.?/)|(/\.?\.?/)}
            until gz.eof? do
@@ -51,11 +52,12 @@ module Gitlab
                meta = read_string(gz)
                next unless path =~ match_pattern
+                next unless path.force_encoding('UTF-8').valid_encoding?
                next if path =~ invalid_pattern
                paths.push(path)
                metadata.push(JSON.parse(meta.chomp, symbolize_names: true))
-              rescue JSON::ParserError
+              rescue JSON::ParserError, Encoding::CompatibilityError
                next
              end
            end

--- a/lib/gitlab/ci/build/artifacts/metadata/path.rb
+++ b/lib/gitlab/ci/build/artifacts/metadata/path.rb
@@ -8,18 +8,24 @@ module Gitlab
      # This is IO-operations safe class, that does similar job to
      # Ruby's Pathname but without the risk of accessing filesystem.
      #
+      # This class is working only with UTF-8 encoded paths.
+      #
      class Path
        attr_reader :path, :universe
        attr_accessor :name
        def initialize(path, universe, metadata = [])
-          @path = path
+          @path = path.force_encoding('UTF-8')
          @universe = universe
          @metadata = metadata
          if path.include?("\0")
            raise ArgumentError, 'Path contains zero byte character!'
          end
+          unless path.valid_encoding?
+            raise ArgumentError, 'Path contains non-UTF-8 byte sequence!'
+          end
        end
        def directory?
@@ -51,7 +57,7 @@ module Gitlab
          return [] unless directory?
          return @children if @children
-          child_pattern = %r{^#{Regexp.escape(@path)}[^/\s]+/?$}
+          child_pattern = %r{^#{Regexp.escape(@path)}[^/]+/?$}
          @children = select { |entry| entry =~ child_pattern }
        end

--- a/spec/fixtures/ci_build_artifacts.zip
+++ b/spec/fixtures/ci_build_artifacts.zip
--- a/spec/fixtures/ci_build_artifacts_metadata.gz
+++ b/spec/fixtures/ci_build_artifacts_metadata.gz