Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
5cf5680f
Commit
5cf5680f
authored
Jun 14, 2018
by
Jacob Vosmaer (GitLab)
Committed by
Douwe Maan
Jun 14, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Deny repository disk access in development and test
parent
434efdac
Changes
17
Hide whitespace changes
Inline
Side-by-side
Showing
17 changed files
with
83 additions
and
34 deletions
+83
-34
app/models/project_services/gemnasium_service.rb
app/models/project_services/gemnasium_service.rb
+6
-1
db/migrate/20161124141322_migrate_process_commit_worker_jobs.rb
...rate/20161124141322_migrate_process_commit_worker_jobs.rb
+3
-1
db/migrate/20161226122833_remove_dot_git_from_usernames.rb
db/migrate/20161226122833_remove_dot_git_from_usernames.rb
+3
-1
lib/gitlab/gitaly_client.rb
lib/gitlab/gitaly_client.rb
+8
-6
lib/system_check/orphans/repository_check.rb
lib/system_check/orphans/repository_check.rb
+9
-7
spec/controllers/projects_controller_spec.rb
spec/controllers/projects_controller_spec.rb
+9
-3
spec/helpers/projects_helper_spec.rb
spec/helpers/projects_helper_spec.rb
+5
-1
spec/lib/gitlab/git_access_wiki_spec.rb
spec/lib/gitlab/git_access_wiki_spec.rb
+3
-1
spec/migrations/migrate_process_commit_worker_jobs_spec.rb
spec/migrations/migrate_process_commit_worker_jobs_spec.rb
+5
-1
spec/migrations/turn_nested_groups_into_regular_groups_for_mysql_spec.rb
.../turn_nested_groups_into_regular_groups_for_mysql_spec.rb
+6
-2
spec/models/project_spec.rb
spec/models/project_spec.rb
+10
-4
spec/models/project_wiki_spec.rb
spec/models/project_wiki_spec.rb
+5
-1
spec/models/remote_mirror_spec.rb
spec/models/remote_mirror_spec.rb
+3
-1
spec/requests/api/internal_spec.rb
spec/requests/api/internal_spec.rb
+0
-1
spec/services/projects/create_service_spec.rb
spec/services/projects/create_service_spec.rb
+4
-1
spec/support/gitaly.rb
spec/support/gitaly.rb
+1
-1
spec/workers/repository_remove_remote_worker_spec.rb
spec/workers/repository_remove_remote_worker_spec.rb
+3
-1
No files found.
app/models/project_services/gemnasium_service.rb
View file @
5cf5680f
...
@@ -43,13 +43,18 @@ class GemnasiumService < Service
...
@@ -43,13 +43,18 @@ class GemnasiumService < Service
def
execute
(
data
)
def
execute
(
data
)
return
unless
supported_events
.
include?
(
data
[
:object_kind
])
return
unless
supported_events
.
include?
(
data
[
:object_kind
])
# Gitaly: this class will be removed https://gitlab.com/gitlab-org/gitlab-ee/issues/6010
repo_path
=
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
project
.
repository
.
path_to_repo
end
Gemnasium
::
GitlabService
.
execute
(
Gemnasium
::
GitlabService
.
execute
(
ref:
data
[
:ref
],
ref:
data
[
:ref
],
before:
data
[
:before
],
before:
data
[
:before
],
after:
data
[
:after
],
after:
data
[
:after
],
token:
token
,
token:
token
,
api_key:
api_key
,
api_key:
api_key
,
repo:
project
.
repository
.
path_to_repo
# Gitaly: fixed by https://gitlab.com/gitlab-org/security-products/gemnasium-migration/issues/9
repo:
repo_path
)
)
end
end
end
end
db/migrate/20161124141322_migrate_process_commit_worker_jobs.rb
View file @
5cf5680f
...
@@ -12,7 +12,9 @@ class MigrateProcessCommitWorkerJobs < ActiveRecord::Migration
...
@@ -12,7 +12,9 @@ class MigrateProcessCommitWorkerJobs < ActiveRecord::Migration
end
end
def
repository_storage_path
def
repository_storage_path
Gitlab
.
config
.
repositories
.
storages
[
repository_storage
].
legacy_disk_path
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
Gitlab
.
config
.
repositories
.
storages
[
repository_storage
].
legacy_disk_path
end
end
end
def
repository_path
def
repository_path
...
...
db/migrate/20161226122833_remove_dot_git_from_usernames.rb
View file @
5cf5680f
...
@@ -64,7 +64,9 @@ class RemoveDotGitFromUsernames < ActiveRecord::Migration
...
@@ -64,7 +64,9 @@ class RemoveDotGitFromUsernames < ActiveRecord::Migration
# we rename suffix instead of removing it
# we rename suffix instead of removing it
path
=
path
.
sub
(
/\.git\z/
,
'_git'
)
path
=
path
.
sub
(
/\.git\z/
,
'_git'
)
check_routes
(
path
.
dup
,
0
,
path
)
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
check_routes
(
path
.
dup
,
0
,
path
)
end
end
end
def
check_routes
(
base
,
counter
,
path
)
def
check_routes
(
base
,
counter
,
path
)
...
...
lib/gitlab/gitaly_client.rb
View file @
5cf5680f
...
@@ -33,11 +33,6 @@ module Gitlab
...
@@ -33,11 +33,6 @@ module Gitlab
MAXIMUM_GITALY_CALLS
=
35
MAXIMUM_GITALY_CALLS
=
35
CLIENT_NAME
=
(
Sidekiq
.
server?
?
'gitlab-sidekiq'
:
'gitlab-web'
).
freeze
CLIENT_NAME
=
(
Sidekiq
.
server?
?
'gitlab-sidekiq'
:
'gitlab-web'
).
freeze
# We have a mechanism to let GitLab automatically opt in to all Gitaly
# features. We want to be able to exclude some features from automatic
# opt-in. That is what EXPLICIT_OPT_IN_REQUIRED is for.
EXPLICIT_OPT_IN_REQUIRED
=
[
Gitlab
::
GitalyClient
::
StorageSettings
::
DISK_ACCESS_DENIED_FLAG
].
freeze
MUTEX
=
Mutex
.
new
MUTEX
=
Mutex
.
new
class
<<
self
class
<<
self
...
@@ -249,7 +244,7 @@ module Gitlab
...
@@ -249,7 +244,7 @@ module Gitlab
when
MigrationStatus
::
OPT_OUT
when
MigrationStatus
::
OPT_OUT
true
true
when
MigrationStatus
::
OPT_IN
when
MigrationStatus
::
OPT_IN
opt_into_all_features?
&&
!
EXPLICIT_OPT_IN_REQUIRED
.
include?
(
feature_name
)
opt_into_all_features?
&&
!
explicit_opt_in_required
.
include?
(
feature_name
)
else
else
false
false
end
end
...
@@ -259,6 +254,13 @@ module Gitlab
...
@@ -259,6 +254,13 @@ module Gitlab
false
false
end
end
# We have a mechanism to let GitLab automatically opt in to all Gitaly
# features. We want to be able to exclude some features from automatic
# opt-in. This function has an override in EE.
def
self
.
explicit_opt_in_required
[]
end
# opt_into_all_features? returns true when the current environment
# opt_into_all_features? returns true when the current environment
# is one in which we opt into features automatically
# is one in which we opt into features automatically
def
self
.
opt_into_all_features?
def
self
.
opt_into_all_features?
...
...
lib/system_check/orphans/repository_check.rb
View file @
5cf5680f
...
@@ -5,16 +5,18 @@ module SystemCheck
...
@@ -5,16 +5,18 @@ module SystemCheck
attr_accessor
:orphans
attr_accessor
:orphans
def
multi_check
def
multi_check
Gitlab
.
config
.
repositories
.
storages
.
each
do
|
storage_name
,
repository_storage
|
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
storage_path
=
repository_storage
.
legacy_disk_path
Gitlab
.
config
.
repositories
.
storages
.
each
do
|
storage_name
,
repository_storage
|
storage_path
=
repository_storage
.
legacy_disk_path
$stdout
.
puts
$stdout
.
puts
$stdout
.
puts
"* Storage:
#{
storage_name
}
(
#{
storage_path
}
)"
.
color
(
:yellow
)
$stdout
.
puts
"* Storage:
#{
storage_name
}
(
#{
storage_path
}
)"
.
color
(
:yellow
)
repositories
=
disk_repositories
(
storage_path
)
repositories
=
disk_repositories
(
storage_path
)
orphans
=
(
repositories
-
fetch_repositories
(
storage_name
))
orphans
=
(
repositories
-
fetch_repositories
(
storage_name
))
print_orphans
(
orphans
,
storage_name
)
print_orphans
(
orphans
,
storage_name
)
end
end
end
end
end
...
...
spec/controllers/projects_controller_spec.rb
View file @
5cf5680f
...
@@ -296,16 +296,22 @@ describe ProjectsController do
...
@@ -296,16 +296,22 @@ describe ProjectsController do
shared_examples_for
'updating a project'
do
shared_examples_for
'updating a project'
do
context
'when only renaming a project path'
do
context
'when only renaming a project path'
do
it
"sets the repository to the right path after a rename"
do
it
"sets the repository to the right path after a rename"
do
original_repository_path
=
project
.
repository
.
path
original_repository_path
=
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
project
.
repository
.
path
end
expect
{
update_project
path:
'renamed_path'
}
expect
{
update_project
path:
'renamed_path'
}
.
to
change
{
project
.
reload
.
path
}
.
to
change
{
project
.
reload
.
path
}
expect
(
project
.
path
).
to
include
'renamed_path'
expect
(
project
.
path
).
to
include
'renamed_path'
assign_repository_path
=
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
assigns
(
:repository
).
path
end
if
project
.
hashed_storage?
(
:repository
)
if
project
.
hashed_storage?
(
:repository
)
expect
(
assign
s
(
:repository
).
path
).
to
eq
(
original_repository_path
)
expect
(
assign
_repository_
path
).
to
eq
(
original_repository_path
)
else
else
expect
(
assign
s
(
:repository
).
path
).
to
include
(
project
.
path
)
expect
(
assign
_repository_
path
).
to
include
(
project
.
path
)
end
end
expect
(
response
).
to
have_gitlab_http_status
(
302
)
expect
(
response
).
to
have_gitlab_http_status
(
302
)
...
...
spec/helpers/projects_helper_spec.rb
View file @
5cf5680f
...
@@ -280,7 +280,11 @@ describe ProjectsHelper do
...
@@ -280,7 +280,11 @@ describe ProjectsHelper do
describe
'#sanitizerepo_repo_path'
do
describe
'#sanitizerepo_repo_path'
do
let
(
:project
)
{
create
(
:project
,
:repository
)
}
let
(
:project
)
{
create
(
:project
,
:repository
)
}
let
(
:storage_path
)
{
Gitlab
.
config
.
repositories
.
storages
.
default
.
legacy_disk_path
}
let
(
:storage_path
)
do
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
Gitlab
.
config
.
repositories
.
storages
.
default
.
legacy_disk_path
end
end
before
do
before
do
allow
(
Settings
.
shared
).
to
receive
(
:[]
).
with
(
'path'
).
and_return
(
'/base/repo/export/path'
)
allow
(
Settings
.
shared
).
to
receive
(
:[]
).
with
(
'path'
).
and_return
(
'/base/repo/export/path'
)
...
...
spec/lib/gitlab/git_access_wiki_spec.rb
View file @
5cf5680f
...
@@ -52,7 +52,9 @@ describe Gitlab::GitAccessWiki do
...
@@ -52,7 +52,9 @@ describe Gitlab::GitAccessWiki do
context
'when the wiki repository does not exist'
do
context
'when the wiki repository does not exist'
do
it
'returns not found'
do
it
'returns not found'
do
wiki_repo
=
project
.
wiki
.
repository
wiki_repo
=
project
.
wiki
.
repository
FileUtils
.
rm_rf
(
wiki_repo
.
path
)
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
FileUtils
.
rm_rf
(
wiki_repo
.
path
)
end
# Sanity check for rm_rf
# Sanity check for rm_rf
expect
(
wiki_repo
.
exists?
).
to
eq
(
false
)
expect
(
wiki_repo
.
exists?
).
to
eq
(
false
)
...
...
spec/migrations/migrate_process_commit_worker_jobs_spec.rb
View file @
5cf5680f
...
@@ -6,7 +6,11 @@ require Rails.root.join('db', 'migrate', '20161124141322_migrate_process_commit_
...
@@ -6,7 +6,11 @@ require Rails.root.join('db', 'migrate', '20161124141322_migrate_process_commit_
describe
MigrateProcessCommitWorkerJobs
do
describe
MigrateProcessCommitWorkerJobs
do
let
(
:project
)
{
create
(
:project
,
:legacy_storage
,
:repository
)
}
# rubocop:disable RSpec/FactoriesInMigrationSpecs
let
(
:project
)
{
create
(
:project
,
:legacy_storage
,
:repository
)
}
# rubocop:disable RSpec/FactoriesInMigrationSpecs
let
(
:user
)
{
create
(
:user
)
}
# rubocop:disable RSpec/FactoriesInMigrationSpecs
let
(
:user
)
{
create
(
:user
)
}
# rubocop:disable RSpec/FactoriesInMigrationSpecs
let
(
:commit
)
{
project
.
commit
.
raw
.
rugged_commit
}
let
(
:commit
)
do
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
project
.
commit
.
raw
.
rugged_commit
end
end
describe
'Project'
do
describe
'Project'
do
describe
'find_including_path'
do
describe
'find_including_path'
do
...
...
spec/migrations/turn_nested_groups_into_regular_groups_for_mysql_spec.rb
View file @
5cf5680f
...
@@ -49,10 +49,14 @@ describe TurnNestedGroupsIntoRegularGroupsForMysql do
...
@@ -49,10 +49,14 @@ describe TurnNestedGroupsIntoRegularGroupsForMysql do
end
end
it
'renames the repository of any projects'
do
it
'renames the repository of any projects'
do
expect
(
updated_project
.
repository
.
path
)
repo_path
=
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
updated_project
.
repository
.
path
end
expect
(
repo_path
)
.
to
end_with
(
"
#{
parent_group
.
name
}
-
#{
child_group
.
name
}
/
#{
updated_project
.
path
}
.git"
)
.
to
end_with
(
"
#{
parent_group
.
name
}
-
#{
child_group
.
name
}
/
#{
updated_project
.
path
}
.git"
)
expect
(
File
.
directory?
(
updated_project
.
repository
.
path
)).
to
eq
(
true
)
expect
(
File
.
directory?
(
repo_
path
)).
to
eq
(
true
)
end
end
it
'creates a redirect route for renamed projects'
do
it
'creates a redirect route for renamed projects'
do
...
...
spec/models/project_spec.rb
View file @
5cf5680f
...
@@ -2943,7 +2943,7 @@ describe Project do
...
@@ -2943,7 +2943,7 @@ describe Project do
project
.
rename_repo
project
.
rename_repo
expect
(
project
.
repository
.
rugged
.
config
[
'gitlab.fullpath'
]).
to
eq
(
project
.
full_path
)
expect
(
rugged_
config
[
'gitlab.fullpath'
]).
to
eq
(
project
.
full_path
)
end
end
end
end
...
@@ -3104,7 +3104,7 @@ describe Project do
...
@@ -3104,7 +3104,7 @@ describe Project do
it
'updates project full path in .git/config'
do
it
'updates project full path in .git/config'
do
project
.
rename_repo
project
.
rename_repo
expect
(
project
.
repository
.
rugged
.
config
[
'gitlab.fullpath'
]).
to
eq
(
project
.
full_path
)
expect
(
rugged_
config
[
'gitlab.fullpath'
]).
to
eq
(
project
.
full_path
)
end
end
end
end
...
@@ -3525,13 +3525,13 @@ describe Project do
...
@@ -3525,13 +3525,13 @@ describe Project do
it
'writes full path in .git/config when key is missing'
do
it
'writes full path in .git/config when key is missing'
do
project
.
write_repository_config
project
.
write_repository_config
expect
(
project
.
repository
.
rugged
.
config
[
'gitlab.fullpath'
]).
to
eq
project
.
full_path
expect
(
rugged_
config
[
'gitlab.fullpath'
]).
to
eq
project
.
full_path
end
end
it
'updates full path in .git/config when key is present'
do
it
'updates full path in .git/config when key is present'
do
project
.
write_repository_config
(
gl_full_path:
'old/path'
)
project
.
write_repository_config
(
gl_full_path:
'old/path'
)
expect
{
project
.
write_repository_config
}.
to
change
{
project
.
repository
.
rugged
.
config
[
'gitlab.fullpath'
]
}.
from
(
'old/path'
).
to
(
project
.
full_path
)
expect
{
project
.
write_repository_config
}.
to
change
{
rugged_
config
[
'gitlab.fullpath'
]
}.
from
(
'old/path'
).
to
(
project
.
full_path
)
end
end
it
'does not raise an error with an empty repository'
do
it
'does not raise an error with an empty repository'
do
...
@@ -3817,4 +3817,10 @@ describe Project do
...
@@ -3817,4 +3817,10 @@ describe Project do
let
(
:uploader_class
)
{
AttachmentUploader
}
let
(
:uploader_class
)
{
AttachmentUploader
}
end
end
end
end
def
rugged_config
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
project
.
repository
.
rugged
.
config
end
end
end
end
spec/models/project_wiki_spec.rb
View file @
5cf5680f
...
@@ -188,7 +188,11 @@ describe ProjectWiki do
...
@@ -188,7 +188,11 @@ describe ProjectWiki do
before
do
before
do
subject
.
wiki
# Make sure the wiki repo exists
subject
.
wiki
# Make sure the wiki repo exists
BareRepoOperations
.
new
(
subject
.
repository
.
path_to_repo
).
commit_file
(
image
,
'image.png'
)
repo_path
=
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
subject
.
repository
.
path_to_repo
end
BareRepoOperations
.
new
(
repo_path
).
commit_file
(
image
,
'image.png'
)
end
end
it
'returns the latest version of the file if it exists'
do
it
'returns the latest version of the file if it exists'
do
...
...
spec/models/remote_mirror_spec.rb
View file @
5cf5680f
...
@@ -74,7 +74,9 @@ describe RemoteMirror do
...
@@ -74,7 +74,9 @@ describe RemoteMirror do
mirror
.
update_attribute
(
:url
,
'http://foo:baz@test.com'
)
mirror
.
update_attribute
(
:url
,
'http://foo:baz@test.com'
)
config
=
repo
.
raw_repository
.
rugged
.
config
config
=
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
repo
.
raw_repository
.
rugged
.
config
end
expect
(
config
[
"remote.
#{
mirror
.
remote_name
}
.url"
]).
to
eq
(
'http://foo:baz@test.com'
)
expect
(
config
[
"remote.
#{
mirror
.
remote_name
}
.url"
]).
to
eq
(
'http://foo:baz@test.com'
)
end
end
...
...
spec/requests/api/internal_spec.rb
View file @
5cf5680f
...
@@ -522,7 +522,6 @@ describe API::Internal do
...
@@ -522,7 +522,6 @@ describe API::Internal do
context
'the project path was changed'
do
context
'the project path was changed'
do
let
(
:project
)
{
create
(
:project
,
:repository
,
:legacy_storage
)
}
let
(
:project
)
{
create
(
:project
,
:repository
,
:legacy_storage
)
}
let!
(
:old_path_to_repo
)
{
project
.
repository
.
path_to_repo
}
let!
(
:repository
)
{
project
.
repository
}
let!
(
:repository
)
{
project
.
repository
}
before
do
before
do
...
...
spec/services/projects/create_service_spec.rb
View file @
5cf5680f
...
@@ -272,8 +272,11 @@ describe Projects::CreateService, '#execute' do
...
@@ -272,8 +272,11 @@ describe Projects::CreateService, '#execute' do
it
'writes project full path to .git/config'
do
it
'writes project full path to .git/config'
do
project
=
create_project
(
user
,
opts
)
project
=
create_project
(
user
,
opts
)
rugged
=
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
project
.
repository
.
rugged
end
expect
(
project
.
repository
.
rugged
.
config
[
'gitlab.fullpath'
]).
to
eq
project
.
full_path
expect
(
rugged
.
config
[
'gitlab.fullpath'
]).
to
eq
project
.
full_path
end
end
def
create_project
(
user
,
opts
)
def
create_project
(
user
,
opts
)
...
...
spec/support/gitaly.rb
View file @
5cf5680f
...
@@ -9,7 +9,7 @@ RSpec.configure do |config|
...
@@ -9,7 +9,7 @@ RSpec.configure do |config|
# Use 'and_wrap_original' to make sure the arguments are valid
# Use 'and_wrap_original' to make sure the arguments are valid
allow
(
Gitlab
::
GitalyClient
).
to
receive
(
:feature_enabled?
).
and_wrap_original
do
|
m
,
*
args
|
allow
(
Gitlab
::
GitalyClient
).
to
receive
(
:feature_enabled?
).
and_wrap_original
do
|
m
,
*
args
|
m
.
call
(
*
args
)
m
.
call
(
*
args
)
!
Gitlab
::
GitalyClient
::
EXPLICIT_OPT_IN_REQUIRED
.
include?
(
args
.
first
)
!
Gitlab
::
GitalyClient
.
explicit_opt_in_required
.
include?
(
args
.
first
)
end
end
end
end
end
end
...
...
spec/workers/repository_remove_remote_worker_spec.rb
View file @
5cf5680f
...
@@ -44,7 +44,9 @@ describe RepositoryRemoveRemoteWorker do
...
@@ -44,7 +44,9 @@ describe RepositoryRemoveRemoteWorker do
end
end
def
create_remote_branch
(
remote_name
,
branch_name
,
target
)
def
create_remote_branch
(
remote_name
,
branch_name
,
target
)
rugged
=
project
.
repository
.
rugged
rugged
=
Gitlab
::
GitalyClient
::
StorageSettings
.
allow_disk_access
do
project
.
repository
.
rugged
end
rugged
.
references
.
create
(
"refs/remotes/
#{
remote_name
}
/
#{
branch_name
}
"
,
target
.
id
)
rugged
.
references
.
create
(
"refs/remotes/
#{
remote_name
}
/
#{
branch_name
}
"
,
target
.
id
)
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment