Commit ea88c9b2 authored by Jacob Vosmaer's avatar Jacob Vosmaer

Handle invalid number of arguments

When a remote user with a valid SSH key runs something like 'ssh
git@gitlab.example.com foobar', gitlab-shell would raise an exception in
the GitlabShell#escape_path method. With this change, we catch an
invalid number of arguments as soon as possible and exit.
parent b5284310
v1.9.8 v1.9.8
- Replace raise with abort when checking path to prevent path exposure - Replace raise with abort when checking path to prevent path exposure
- Handle invalid number of arguments on remote commands
v1.9.7 v1.9.7
- Increased test coverage - Increased test coverage
......
...@@ -3,6 +3,8 @@ require 'shellwords' ...@@ -3,6 +3,8 @@ require 'shellwords'
require_relative 'gitlab_net' require_relative 'gitlab_net'
class GitlabShell class GitlabShell
DisallowedCommandError = Class.new(StandardError)
attr_accessor :key_id, :repo_name, :git_cmd, :repos_path, :repo_name attr_accessor :key_id, :repo_name, :git_cmd, :repos_path, :repo_name
def initialize def initialize
...@@ -28,19 +30,22 @@ class GitlabShell ...@@ -28,19 +30,22 @@ class GitlabShell
$stderr.puts "Access denied." $stderr.puts "Access denied."
end end
else else
message = "gitlab-shell: Attempt to execute disallowed command <#{@origin_cmd}> by #{log_username}." raise DisallowedCommandError
$logger.warn message
puts 'Not allowed command'
end end
else else
puts "Welcome to GitLab, #{username}!" puts "Welcome to GitLab, #{username}!"
end end
rescue DisallowedCommandError => ex
message = "gitlab-shell: Attempt to execute disallowed command <#{@origin_cmd}> by #{log_username}."
$logger.warn message
puts 'Not allowed command'
end end
protected protected
def parse_cmd def parse_cmd
args = Shellwords.shellwords(@origin_cmd) args = Shellwords.shellwords(@origin_cmd)
raise DisallowedCommandError unless args.count == 2
@git_cmd = args[0] @git_cmd = args[0]
@repo_name = escape_path(args[1]) @repo_name = escape_path(args[1])
end end
......
...@@ -48,6 +48,14 @@ describe GitlabShell do ...@@ -48,6 +48,14 @@ describe GitlabShell do
its(:repo_name) { should == 'dmitriy.zaporozhets/gitlab-ci.git' } its(:repo_name) { should == 'dmitriy.zaporozhets/gitlab-ci.git' }
its(:git_cmd) { should == 'git-upload-pack' } its(:git_cmd) { should == 'git-upload-pack' }
end end
context 'with an invalid number of arguments' do
before { ssh_cmd 'foobar' }
it "should raise an DisallowedCommandError" do
expect { subject.send :parse_cmd }.to raise_error(GitlabShell::DisallowedCommandError)
end
end
end end
describe :exec do describe :exec do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment