Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
8521af9f
Commit
8521af9f
authored
Jul 13, 2020
by
Giorgenes Gelatti
Committed by
Rémy Coutable
Jul 13, 2020
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Move package permitted upload paths to core
Move package related multipart handler and specs to core.
parent
58a7f989
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
94 additions
and
124 deletions
+94
-124
ee/lib/ee/gitlab/middleware/multipart/handler.rb
ee/lib/ee/gitlab/middleware/multipart/handler.rb
+0
-34
ee/spec/lib/gitlab/middleware/multipart_spec.rb
ee/spec/lib/gitlab/middleware/multipart_spec.rb
+0
-87
lib/gitlab/middleware/multipart.rb
lib/gitlab/middleware/multipart.rb
+16
-3
spec/lib/gitlab/middleware/multipart_spec.rb
spec/lib/gitlab/middleware/multipart_spec.rb
+78
-0
No files found.
ee/lib/ee/gitlab/middleware/multipart/handler.rb
deleted
100644 → 0
View file @
58a7f989
# frozen_string_literal: true
module
EE
module
Gitlab
module
Middleware
module
Multipart
module
Handler
extend
::
Gitlab
::
Utils
::
Override
private
override
:allowed_paths
def
allowed_paths
paths
=
super
packages_config
=
::
Gitlab
.
config
.
packages
if
allow_packages_storage_path?
(
packages_config
)
paths
<<
::
Packages
::
PackageFileUploader
.
workhorse_upload_path
end
paths
end
def
allow_packages_storage_path?
(
packages_config
)
return
unless
packages_config
.
enabled
return
unless
packages_config
[
'storage_path'
]
return
if
packages_config
.
object_store
.
enabled
&&
packages_config
.
object_store
.
direct_upload
true
end
end
end
end
end
end
ee/spec/lib/gitlab/middleware/multipart_spec.rb
deleted
100644 → 0
View file @
58a7f989
# frozen_string_literal: true
require
'spec_helper'
require
'tempfile'
RSpec
.
describe
Gitlab
::
Middleware
::
Multipart
do
include_context
'multipart middleware context'
describe
'#call'
do
context
'with packages storage'
do
using
RSpec
::
Parameterized
::
TableSyntax
let
(
:storage_path
)
{
'shared/packages'
}
RSpec
.
shared_examples
'allowing the multipart upload'
do
it
'allows files to be uploaded'
do
with_tmp_dir
(
'tmp/uploads'
,
storage_path
)
do
|
dir
,
env
|
allow
(
Packages
::
PackageFileUploader
).
to
receive
(
:root
).
and_return
(
File
.
join
(
dir
,
storage_path
))
expect
(
app
).
to
receive
(
:call
)
do
|
env
|
expect
(
get_params
(
env
)[
'file'
]).
to
be_a
(
::
UploadedFile
)
end
middleware
.
call
(
env
)
end
end
end
RSpec
.
shared_examples
'not allowing the multipart upload when package upload path is used'
do
it
'does not allow files to be uploaded'
do
with_tmp_dir
(
'tmp/uploads'
,
storage_path
)
do
|
dir
,
env
|
# with_tmp_dir sets the same workhorse_upload_path for all Uploaders,
# so we have to prevent JobArtifactUploader and LfsObjectUploader to
# allow the tested path
allow
(
JobArtifactUploader
).
to
receive
(
:workhorse_upload_path
).
and_return
(
Dir
.
tmpdir
)
allow
(
LfsObjectUploader
).
to
receive
(
:workhorse_upload_path
).
and_return
(
Dir
.
tmpdir
)
status
,
headers
,
body
=
middleware
.
call
(
env
)
expect
(
status
).
to
eq
(
400
)
expect
(
headers
).
to
eq
({
'Content-Type'
=>
'text/plain'
})
expect
(
body
).
to
start_with
(
'insecure path used'
)
end
end
end
RSpec
.
shared_examples
'adding package storage to multipart allowed paths'
do
before
do
expect
(
::
Packages
::
PackageFileUploader
).
to
receive
(
:workhorse_upload_path
).
and_call_original
end
it_behaves_like
'allowing the multipart upload'
end
RSpec
.
shared_examples
'not adding package storage to multipart allowed paths'
do
before
do
expect
(
::
Packages
::
PackageFileUploader
).
not_to
receive
(
:workhorse_upload_path
)
end
it_behaves_like
'not allowing the multipart upload when package upload path is used'
end
where
(
:object_storage_enabled
,
:direct_upload_enabled
,
:example_name
)
do
false
|
true
|
'adding package storage to multipart allowed paths'
false
|
false
|
'adding package storage to multipart allowed paths'
true
|
true
|
'not adding package storage to multipart allowed paths'
true
|
false
|
'adding package storage to multipart allowed paths'
end
with_them
do
before
do
stub_config
(
packages:
{
enabled:
true
,
object_store:
{
enabled:
object_storage_enabled
,
direct_upload:
direct_upload_enabled
},
storage_path:
storage_path
})
end
it_behaves_like
params
[
:example_name
]
end
end
end
end
lib/gitlab/middleware/multipart.rb
View file @
8521af9f
...
@@ -105,6 +105,21 @@ module Gitlab
...
@@ -105,6 +105,21 @@ module Gitlab
private
private
def
package_allowed_paths
packages_config
=
::
Gitlab
.
config
.
packages
return
[]
unless
allow_packages_storage_path?
(
packages_config
)
[
::
Packages
::
PackageFileUploader
.
workhorse_upload_path
]
end
def
allow_packages_storage_path?
(
packages_config
)
return
false
unless
packages_config
.
enabled
return
false
unless
packages_config
[
'storage_path'
]
return
false
if
packages_config
.
object_store
.
enabled
&&
packages_config
.
object_store
.
direct_upload
true
end
def
allowed_paths
def
allowed_paths
[
[
::
FileUploader
.
root
,
::
FileUploader
.
root
,
...
@@ -112,7 +127,7 @@ module Gitlab
...
@@ -112,7 +127,7 @@ module Gitlab
JobArtifactUploader
.
workhorse_upload_path
,
JobArtifactUploader
.
workhorse_upload_path
,
LfsObjectUploader
.
workhorse_upload_path
,
LfsObjectUploader
.
workhorse_upload_path
,
File
.
join
(
Rails
.
root
,
'public/uploads/tmp'
)
File
.
join
(
Rails
.
root
,
'public/uploads/tmp'
)
]
]
+
package_allowed_paths
end
end
end
end
...
@@ -135,5 +150,3 @@ module Gitlab
...
@@ -135,5 +150,3 @@ module Gitlab
end
end
end
end
end
end
::
Gitlab
::
Middleware
::
Multipart
::
Handler
.
prepend_if_ee
(
'EE::Gitlab::Middleware::Multipart::Handler'
)
spec/lib/gitlab/middleware/multipart_spec.rb
View file @
8521af9f
...
@@ -232,4 +232,82 @@ RSpec.describe Gitlab::Middleware::Multipart do
...
@@ -232,4 +232,82 @@ RSpec.describe Gitlab::Middleware::Multipart do
middleware
.
call
(
env
)
middleware
.
call
(
env
)
end
end
end
end
describe
'#call'
do
context
'with packages storage'
do
using
RSpec
::
Parameterized
::
TableSyntax
let
(
:storage_path
)
{
'shared/packages'
}
RSpec
.
shared_examples
'allowing the multipart upload'
do
it
'allows files to be uploaded'
do
with_tmp_dir
(
'tmp/uploads'
,
storage_path
)
do
|
dir
,
env
|
allow
(
Packages
::
PackageFileUploader
).
to
receive
(
:root
).
and_return
(
File
.
join
(
dir
,
storage_path
))
expect
(
app
).
to
receive
(
:call
)
do
|
env
|
expect
(
get_params
(
env
)[
'file'
]).
to
be_a
(
::
UploadedFile
)
end
middleware
.
call
(
env
)
end
end
end
RSpec
.
shared_examples
'not allowing the multipart upload when package upload path is used'
do
it
'does not allow files to be uploaded'
do
with_tmp_dir
(
'tmp/uploads'
,
storage_path
)
do
|
dir
,
env
|
# with_tmp_dir sets the same workhorse_upload_path for all Uploaders,
# so we have to prevent JobArtifactUploader and LfsObjectUploader to
# allow the tested path
allow
(
JobArtifactUploader
).
to
receive
(
:workhorse_upload_path
).
and_return
(
Dir
.
tmpdir
)
allow
(
LfsObjectUploader
).
to
receive
(
:workhorse_upload_path
).
and_return
(
Dir
.
tmpdir
)
status
,
headers
,
body
=
middleware
.
call
(
env
)
expect
(
status
).
to
eq
(
400
)
expect
(
headers
).
to
eq
({
'Content-Type'
=>
'text/plain'
})
expect
(
body
).
to
start_with
(
'insecure path used'
)
end
end
end
RSpec
.
shared_examples
'adding package storage to multipart allowed paths'
do
before
do
expect
(
::
Packages
::
PackageFileUploader
).
to
receive
(
:workhorse_upload_path
).
and_call_original
end
it_behaves_like
'allowing the multipart upload'
end
RSpec
.
shared_examples
'not adding package storage to multipart allowed paths'
do
before
do
expect
(
::
Packages
::
PackageFileUploader
).
not_to
receive
(
:workhorse_upload_path
)
end
it_behaves_like
'not allowing the multipart upload when package upload path is used'
end
where
(
:object_storage_enabled
,
:direct_upload_enabled
,
:example_name
)
do
false
|
true
|
'adding package storage to multipart allowed paths'
false
|
false
|
'adding package storage to multipart allowed paths'
true
|
true
|
'not adding package storage to multipart allowed paths'
true
|
false
|
'adding package storage to multipart allowed paths'
end
with_them
do
before
do
stub_config
(
packages:
{
enabled:
true
,
object_store:
{
enabled:
object_storage_enabled
,
direct_upload:
direct_upload_enabled
},
storage_path:
storage_path
})
end
it_behaves_like
params
[
:example_name
]
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment