Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
8cef7d27
Commit
8cef7d27
authored
Jan 04, 2016
by
Jacob Vosmaer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Always check access for /uploads/
parent
7620c2fa
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
53 additions
and
0 deletions
+53
-0
.gitignore
.gitignore
+1
-0
main.go
main.go
+10
-0
main_test.go
main_test.go
+42
-0
No files found.
.gitignore
View file @
8cef7d27
test/data
test/scratch
gitlab-workhorse
test/public
main.go
View file @
8cef7d27
...
...
@@ -99,6 +99,16 @@ var httpRoutes = [...]httpRoute{
),
},
// For legacy reasons, user uploads are stored under the document root.
// To prevent anybody who knows/guesses the URL of a user-uploaded file
// from downloading it we make sure requests to /uploads/ do _not_ pass
// through handleServeFile.
httpRoute
{
""
,
regexp
.
MustCompile
(
`^/uploads/`
),
handleRailsError
(
documentRoot
,
proxyRequest
,
),
},
// Serve static files or forward the requests
httpRoute
{
""
,
nil
,
handleServeFile
(
documentRoot
,
CacheDisabled
,
...
...
main_test.go
View file @
8cef7d27
...
...
@@ -4,6 +4,7 @@ import (
"bytes"
"encoding/json"
"fmt"
"io"
"io/ioutil"
"log"
"net/http"
...
...
@@ -18,6 +19,7 @@ import (
const
scratchDir
=
"test/scratch"
const
testRepoRoot
=
"test/data"
const
testDocumentRoot
=
"test/public"
const
testRepo
=
"group/test.git"
const
testProject
=
"group/test"
...
...
@@ -46,6 +48,46 @@ func TestAllowedClone(t *testing.T) {
runOrFail
(
t
,
logCmd
)
}
func
TestDeniedStaticFile
(
t
*
testing
.
T
)
{
cwd
,
err
:=
os
.
Getwd
()
if
err
!=
nil
{
t
.
Fatal
(
err
)
}
*
documentRoot
=
path
.
Join
(
cwd
,
testDocumentRoot
)
fileDir
:=
path
.
Join
(
*
documentRoot
,
"uploads"
)
if
err
:=
os
.
MkdirAll
(
fileDir
,
0755
);
err
!=
nil
{
t
.
Fatal
(
err
)
}
static_file
:=
path
.
Join
(
fileDir
,
"static.txt"
)
if
err
:=
ioutil
.
WriteFile
(
static_file
,
[]
byte
(
"PRIVATE"
),
0666
);
err
!=
nil
{
t
.
Fatal
(
err
)
}
proxied
:=
false
ts
:=
testServerWithHandler
(
regexp
.
MustCompile
(
`^/uploads/static.txt$`
),
func
(
w
http
.
ResponseWriter
,
_
*
http
.
Request
)
{
proxied
=
true
w
.
WriteHeader
(
404
)
})
defer
ts
.
Close
()
ws
:=
startWorkhorseServer
(
ts
.
URL
)
defer
ws
.
Close
()
resp
,
err
:=
http
.
Get
(
ws
.
URL
+
"/uploads/static.txt"
)
if
err
!=
nil
{
t
.
Fatal
(
err
)
}
defer
resp
.
Body
.
Close
()
buf
:=
&
bytes
.
Buffer
{}
if
_
,
err
:=
io
.
Copy
(
buf
,
resp
.
Body
);
err
!=
nil
{
t
.
Fatal
(
err
)
}
if
buf
.
String
()
==
"PRIVATE"
{
t
.
Fatal
(
"Got private file contents which should have been blocked by upstream"
)
}
if
resp
.
StatusCode
!=
404
{
t
.
Fatalf
(
"expected 404, got %d"
,
resp
.
StatusCode
)
}
}
func
TestDeniedClone
(
t
*
testing
.
T
)
{
// Prepare clone directory
if
err
:=
os
.
RemoveAll
(
scratchDir
);
err
!=
nil
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment