Improve path sanitization in `StringPath`

df411486 · Grzegorz Bizon · a3191463 · df411486 · df411486 · df411486
Commit df411486 authored Jan 02, 2016 by Grzegorz Bizon
Showing with 13 additions and 15 deletions

app/models/ci/build.rb app/models/ci/build.rb +5 -5

lib/gitlab/string_path.rb lib/gitlab/string_path.rb +8 -9

spec/lib/gitlab/string_path_spec.rb spec/lib/gitlab/string_path_spec.rb +0 -1

No files found.
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -352,15 +352,15 @@ module Ci
    def artifacts_metadata_for_path(path)
      return [] unless artifacts_metadata.exists?
      paths, metadata = [], []
-      meta_path = path.sub(/^\.\//, '')

+      metadata_path = path.sub(/^\.\//, '')
      File.open(artifacts_metadata.path) do |file|
        gzip = Zlib::GzipReader.new(file)
        gzip.each_line do |line|
-          if line =~ %r{^#{meta_path}[^/]+/?\s}
-            path, meta =  line.split(' ')
-            paths << path
-            metadata << JSON.parse(meta)
+          if line =~ %r{^#{Regexp.escape(metadata_path)}[^/\s]+/?\s}
+            matched_path, matched_meta =  line.split(' ')
+            paths << matched_path
+            metadata << JSON.parse(matched_meta)
          end
        end
        gzip.close

--- a/lib/gitlab/string_path.rb
+++ b/lib/gitlab/string_path.rb
@@ -57,7 +57,7 @@ module Gitlab

    def descendants
      return [] unless directory?
-      select { |entry| entry =~ /^#{@path}.+/ }
+      select { |entry| entry =~ /^#{Regexp.escape(@path)}.+/ }
    end

    def children
@@ -65,7 +65,7 @@ module Gitlab
      return @children if @children

      @children = select do |entry|
-        self.class.child?(@path, entry)
+        entry =~ %r{^#{Regexp.escape(@path)}[^/\s]+/?$}
      end
    end

@@ -75,7 +75,7 @@ module Gitlab
    end

    def directories!
-      has_parent? ? directories.prepend(new(@path + '../')) : directories
+      has_parent? ? directories.prepend(parent) : directories
    end

    def files
@@ -115,13 +115,12 @@ module Gitlab
      # It looks like Pathname#new doesn't touch a file system,
      # neither Pathname#cleanpath does, so it is, hopefully, filesystem safe

-      clean = Pathname.new(path).cleanpath.to_s
-      raise ArgumentError, 'Invalid path' if clean.start_with?('../')
-      clean + (path.end_with?('/') ? '/' : '')
-    end
+      clean_path = Pathname.new(path).cleanpath.to_s
+      raise ArgumentError, 'Invalid path' if clean_path.start_with?('../')

-    def self.child?(path, entry)
-      entry =~ %r{^#{path}[^/\s]+/?$}
+      prefix = './' unless clean_path =~ %r{^[\.|/]}
+      suffix = '/' if path.end_with?('/') || clean_path =~ /^[\.|\.\.]$/
+      prefix.to_s + clean_path + suffix.to_s
    end
  end
 end
--- a/spec/lib/gitlab/string_path_spec.rb
+++ b/spec/lib/gitlab/string_path_spec.rb
@@ -45,7 +45,6 @@ describe Gitlab::StringPath do

    it { is_expected.to be_directory }
    it { is_expected.to be_relative }
-    it { is_expected.to have_parent }
  end

  describe 'path/dir_1/', path: 'path/dir_1/' do