Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
df041608
Commit
df041608
authored
Jul 17, 2018
by
Jose
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq into jivl-dev-master-into-com-master
parents
489025bb
465da1c7
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
36 additions
and
1 deletion
+36
-1
CHANGELOG.md
CHANGELOG.md
+22
-0
changelogs/unreleased/sh-fix-issue-49133.yml
changelogs/unreleased/sh-fix-issue-49133.yml
+5
-0
lib/gitlab/import_export/file_importer.rb
lib/gitlab/import_export/file_importer.rb
+2
-1
spec/lib/gitlab/import_export/file_importer_spec.rb
spec/lib/gitlab/import_export/file_importer_spec.rb
+7
-0
No files found.
CHANGELOG.md
View file @
df041608
...
@@ -2,6 +2,13 @@
...
@@ -2,6 +2,13 @@
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
entry.
entry.
## 11.0.4 (2018-07-17)
### Security (1 change)
-
Fix symlink vulnerability in project import.
## 11.0.3 (2018-07-05)
## 11.0.3 (2018-07-05)
### Fixed (14 changes, 1 of them is from the community)
### Fixed (14 changes, 1 of them is from the community)
...
@@ -295,6 +302,14 @@ entry.
...
@@ -295,6 +302,14 @@ entry.
-
Workhorse to send raw diff and patch for commits.
-
Workhorse to send raw diff and patch for commits.
## 10.8.6 (2018-07-17)
### Security (2 changes)
-
Fix symlink vulnerability in project import.
-
Merge branch 'fix-mr-widget-border' into 'master'.
## 10.8.5 (2018-06-21)
## 10.8.5 (2018-06-21)
### Security (5 changes)
### Security (5 changes)
...
@@ -524,6 +539,13 @@ entry.
...
@@ -524,6 +539,13 @@ entry.
-
Gitaly handles repository forks by default.
-
Gitaly handles repository forks by default.
## 10.7.7 (2018-07-17)
### Security (1 change)
-
Fix symlink vulnerability in project import.
## 10.7.6 (2018-06-21)
## 10.7.6 (2018-06-21)
### Security (6 changes)
### Security (6 changes)
...
...
changelogs/unreleased/sh-fix-issue-49133.yml
0 → 100644
View file @
df041608
---
title
:
Fix symlink vulnerability in project import
merge_request
:
author
:
type
:
security
lib/gitlab/import_export/file_importer.rb
View file @
df041608
...
@@ -4,6 +4,7 @@ module Gitlab
...
@@ -4,6 +4,7 @@ module Gitlab
include
Gitlab
::
ImportExport
::
CommandLineUtil
include
Gitlab
::
ImportExport
::
CommandLineUtil
MAX_RETRIES
=
8
MAX_RETRIES
=
8
IGNORED_FILENAMES
=
%w(. ..)
.
freeze
def
self
.
import
(
*
args
)
def
self
.
import
(
*
args
)
new
(
*
args
).
import
new
(
*
args
).
import
...
@@ -59,7 +60,7 @@ module Gitlab
...
@@ -59,7 +60,7 @@ module Gitlab
end
end
def
extracted_files
def
extracted_files
Dir
.
glob
(
"
#{
@shared
.
export_path
}
/**/*"
,
File
::
FNM_DOTMATCH
).
reject
{
|
f
|
f
=~
%r{.*/
\.
{1,2}$}
}
Dir
.
glob
(
"
#{
@shared
.
export_path
}
/**/*"
,
File
::
FNM_DOTMATCH
).
reject
{
|
f
|
IGNORED_FILENAMES
.
include?
(
File
.
basename
(
f
))
}
end
end
end
end
end
end
...
...
spec/lib/gitlab/import_export/file_importer_spec.rb
View file @
df041608
...
@@ -7,6 +7,7 @@ describe Gitlab::ImportExport::FileImporter do
...
@@ -7,6 +7,7 @@ describe Gitlab::ImportExport::FileImporter do
let
(
:symlink_file
)
{
"
#{
shared
.
export_path
}
/invalid.json"
}
let
(
:symlink_file
)
{
"
#{
shared
.
export_path
}
/invalid.json"
}
let
(
:hidden_symlink_file
)
{
"
#{
shared
.
export_path
}
/.hidden"
}
let
(
:hidden_symlink_file
)
{
"
#{
shared
.
export_path
}
/.hidden"
}
let
(
:subfolder_symlink_file
)
{
"
#{
shared
.
export_path
}
/subfolder/invalid.json"
}
let
(
:subfolder_symlink_file
)
{
"
#{
shared
.
export_path
}
/subfolder/invalid.json"
}
let
(
:evil_symlink_file
)
{
"
#{
shared
.
export_path
}
/.
\n
evil"
}
before
do
before
do
stub_const
(
'Gitlab::ImportExport::FileImporter::MAX_RETRIES'
,
0
)
stub_const
(
'Gitlab::ImportExport::FileImporter::MAX_RETRIES'
,
0
)
...
@@ -34,6 +35,10 @@ describe Gitlab::ImportExport::FileImporter do
...
@@ -34,6 +35,10 @@ describe Gitlab::ImportExport::FileImporter do
expect
(
File
.
exist?
(
hidden_symlink_file
)).
to
be
false
expect
(
File
.
exist?
(
hidden_symlink_file
)).
to
be
false
end
end
it
'removes evil symlinks in root folder'
do
expect
(
File
.
exist?
(
evil_symlink_file
)).
to
be
false
end
it
'removes symlinks in subfolders'
do
it
'removes symlinks in subfolders'
do
expect
(
File
.
exist?
(
subfolder_symlink_file
)).
to
be
false
expect
(
File
.
exist?
(
subfolder_symlink_file
)).
to
be
false
end
end
...
@@ -75,5 +80,7 @@ describe Gitlab::ImportExport::FileImporter do
...
@@ -75,5 +80,7 @@ describe Gitlab::ImportExport::FileImporter do
FileUtils
.
touch
(
valid_file
)
FileUtils
.
touch
(
valid_file
)
FileUtils
.
ln_s
(
valid_file
,
symlink_file
)
FileUtils
.
ln_s
(
valid_file
,
symlink_file
)
FileUtils
.
ln_s
(
valid_file
,
subfolder_symlink_file
)
FileUtils
.
ln_s
(
valid_file
,
subfolder_symlink_file
)
FileUtils
.
ln_s
(
valid_file
,
hidden_symlink_file
)
FileUtils
.
ln_s
(
valid_file
,
evil_symlink_file
)
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment