Add constraint to dependency proxy route

Add constraint to the sha value in the group dependency proxy blob route to prevent malicious values.

Add constraint to dependency proxy route
Add constraint to the sha value in the group dependency proxy blob route to prevent malicious values.
b16946b8 · Steve Abrams · e3bee019 · b16946b8 · b16946b8 · b16946b8
Commit b16946b8 authored Jan 07, 2020 by Steve Abrams
5 changed files
--- a/changelogs/unreleased/security-dependency-proxy-path-traversal.yml
+++ b/changelogs/unreleased/security-dependency-proxy-path-traversal.yml
+---
+title: Add constraint to group dependency proxy endpoint param
+merge_request:
+author:
+type: security
--- a/ee/config/routes/group.rb
+++ b/ee/config/routes/group.rb
@@ -146,7 +146,7 @@ end
 scope format: false do
  get 'v2', to: proc { [200, {}, ['']] }

-  constraints image: Gitlab::PathRegex.container_image_regex do
+  constraints image: Gitlab::PathRegex.container_image_regex, sha: Gitlab::PathRegex.container_image_blob_sha_regex do
    get 'v2/*group_id/dependency_proxy/containers/*image/manifests/*tag' => 'groups/dependency_proxy_for_containers#manifest'
    get 'v2/*group_id/dependency_proxy/containers/*image/blobs/:sha' => 'groups/dependency_proxy_for_containers#blob'
  end

--- a/ee/lib/ee/gitlab/path_regex.rb
+++ b/ee/lib/ee/gitlab/path_regex.rb
@@ -13,6 +13,10 @@ module EE
        def container_image_regex
          @container_image_regex ||= %r{([\w\.-]+\/){0,1}[\w\.-]+}.freeze
        end
+
+        def container_image_blob_sha_regex
+          @container_image_blob_sha_regex ||= %r{[\w+.-]+:?[\w]+}.freeze
+        end
      end
    end
  end

--- a/ee/spec/lib/ee/gitlab/path_regex_spec.rb
+++ b/ee/spec/lib/ee/gitlab/path_regex_spec.rb
@@ -19,4 +19,17 @@ describe Gitlab::PathRegex do
      expect(subject.match('ruby:2.3.6')[0]).to eq('ruby')
    end
  end
+
+  describe '.container_image_blob_sha_regex' do
+    subject { described_class.container_image_blob_sha_regex }
+
+    it { is_expected.to match('sha256:asdf1234567890ASDF') }
+    it { is_expected.to match('foo:123') }
+    it { is_expected.to match('a12bc3f590szp') }
+    it { is_expected.not_to match('') }
+
+    it 'does not match malicious characters' do
+      expect(subject.match('sha256:asdf1234%2f')[0]).to eq('sha256:asdf1234')
+    end
+  end
 end
--- a/ee/spec/routing/group_routing_spec.rb
+++ b/ee/spec/routing/group_routing_spec.rb
@@ -60,6 +60,16 @@ describe 'Group routing', "routing" do
        expect(get('/v2/gitlabhq/dependency_proxy/containers/ruby/blobs/abc12345'))
          .to route_to('groups/dependency_proxy_for_containers#blob', group_id: 'gitlabhq', image: 'ruby', sha: 'abc12345')
      end
+
+      it "does not route to #blob with an invalid sha" do
+        expect(get("/v2/gitlabhq/dependency_proxy/containers/ruby/blobs/sha256:asdf1234%2f%2e%2e"))
+          .not_to route_to(group_id: 'gitlabhq', image: 'ruby', sha: 'sha256:asdf1234%2f%2e%2e')
+      end
+
+      it "does not route to #blob with an invalid image" do
+        expect(get("/v2/gitlabhq/dependency_proxy/containers/ru*by/blobs/abc12345"))
+          .not_to route_to('groups/dependency_proxy_for_containers#blob', group_id: 'gitlabhq', image: 'ru*by', sha: 'abc12345')
+      end
    end

    context 'image name with namespace' do