Render only valid paths in artifacts metadata

In this version we will support only relative paths in artifacts metadata. Support for absolute paths will be introduced later.

Render only valid paths in artifacts metadata
In this version we will support only relative paths in artifacts metadata. Support for absolute paths will be introduced later.
09a4a5af · Grzegorz Bizon · 61fb47a4 · 09a4a5af · 09a4a5af · 09a4a5af
Commit 09a4a5af authored Jan 11, 2016 by Grzegorz Bizon
6 changed files
--- a/app/controllers/projects/artifacts_controller.rb
+++ b/app/controllers/projects/artifacts_controller.rb
@@ -16,7 +16,10 @@ class Projects::ArtifactsController < Projects::ApplicationController
  def browse
    return render_404 unless build.artifacts?
-    @path = build.artifacts_metadata_path(params[:path].to_s)
+    directory = params[:path] ? "#{params[:path]}/" : ''
+    @path = build.artifacts_metadata_path(directory)
    return render_404 unless @path.exists?
  end

--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -347,10 +347,8 @@ module Ci
      artifacts? && artifacts_file.path.end_with?('zip') && artifacts_metadata.exists?
    end
    def artifacts_metadata_path(path)
-      metadata_file = artifacts_metadata.path
+      Gitlab::Ci::Build::Artifacts::Metadata.new(artifacts_metadata.path, path).to_path
-      Gitlab::Ci::Build::Artifacts::Metadata.new(metadata_file, path).to_path
    end
    private

--- a/lib/gitlab/ci/build/artifacts/metadata.rb
+++ b/lib/gitlab/ci/build/artifacts/metadata.rb
@@ -12,7 +12,6 @@ module Gitlab
          def initialize(file, path)
            @file, @path = file, path
            @full_version = read_version
-            @path << '/' unless path.end_with?('/') || path.empty?
          end
          def version
@@ -43,14 +42,15 @@ module Gitlab
          def match_entries(gz)
            paths, metadata = [], []
-            child_pattern = %r{^#{Regexp.escape(@path)}[^/\s]*/?$}
+            match_pattern = %r{^#{Regexp.escape(@path)}[^/\s]*/?$}
            until gz.eof? do
              begin
                path = read_string(gz)
                meta = read_string(gz)
-                next unless path =~ child_pattern
+                next unless path =~ match_pattern
+                next unless path_valid?(path)
                paths.push(path)
                metadata.push(JSON.parse(meta.chomp, symbolize_names: true))
@@ -62,6 +62,10 @@ module Gitlab
            [paths, metadata]
          end
+          def path_valid?(path)
+            !(path.start_with?('/') || path =~ %r{\.?\./})
+          end
          def read_version
            gzip do|gz|
              version_string = read_string(gz)

--- a/lib/gitlab/ci/build/artifacts/metadata/path.rb
+++ b/lib/gitlab/ci/build/artifacts/metadata/path.rb
@@ -23,7 +23,7 @@ module Gitlab
        end
        def directory?
-          @path.end_with?('/') || @path.blank?
+          blank_node? || @path.end_with?('/')
        end
        def file?
@@ -40,11 +40,11 @@ module Gitlab
        end
        def basename
-          directory? ? name + ::File::SEPARATOR : name
+          (directory? && !blank_node?) ? name + ::File::SEPARATOR : name
        end
        def name
-          @name || @path.split(::File::SEPARATOR).last
+          @name || @path.split(::File::SEPARATOR).last.to_s
        end
        def children
@@ -83,7 +83,11 @@ module Gitlab
        end
        def exists?
-          @path.blank? || @universe.include?(@path)
+          blank_node? || @universe.include?(@path)
+        end
+        def blank_node?
+          @path.empty? # "" is considered to be './'
        end
        def to_s

--- a/spec/lib/gitlab/ci/build/artifacts/metadata/path_spec.rb
+++ b/spec/lib/gitlab/ci/build/artifacts/metadata/path_spec.rb
@@ -108,14 +108,14 @@ describe Gitlab::Ci::Build::Artifacts::Metadata::Path do
    end
  end
-  describe '#nodes', path: './test' do
+  describe '#nodes', path: 'test' do
    subject { |example| path(example).nodes }
-    it { is_expected.to eq 2 }
+    it { is_expected.to eq 1 }
  end
-  describe '#nodes', path: './test/' do
+  describe '#nodes', path: 'test/' do
    subject { |example| path(example).nodes }
-    it { is_expected.to eq 2 }
+    it { is_expected.to eq 1 }
  end
  describe '#metadata' do

--- a/spec/lib/gitlab/ci/build/artifacts/metadata_spec.rb
+++ b/spec/lib/gitlab/ci/build/artifacts/metadata_spec.rb
@@ -28,8 +28,8 @@ describe Gitlab::Ci::Build::Artifacts::Metadata do
      end
    end
-    describe '#match! other_artifacts_0.1.2' do
+    describe '#match! other_artifacts_0.1.2/' do
-      subject { metadata('other_artifacts_0.1.2').match! }
+      subject { metadata('other_artifacts_0.1.2/').match! }
      it 'matches correct paths' do
        expect(subject.first).
@@ -39,7 +39,7 @@ describe Gitlab::Ci::Build::Artifacts::Metadata do
      end
    end
-    describe '#match! other_artifacts_0.1.2/another-subdirectory' do
+    describe '#match! other_artifacts_0.1.2/another-subdirectory/' do
      subject { metadata('other_artifacts_0.1.2/another-subdirectory/').match! }
      it 'matches correct paths' do
@@ -52,7 +52,7 @@ describe Gitlab::Ci::Build::Artifacts::Metadata do
    describe '#to_path' do
      subject { metadata('').to_path }
-      it { is_expected.to be_an_instance_of(Gitlab::Ci::Build::Artifacts::Metdata::Path) }
+      it { is_expected.to be_an_instance_of(Gitlab::Ci::Build::Artifacts::Metadata::Path) }
    end
    describe '#full_version' do