Commit df041608 authored by Jose's avatar Jose

Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq into jivl-dev-master-into-com-master

parents 489025bb 465da1c7
...@@ -2,6 +2,13 @@ ...@@ -2,6 +2,13 @@
documentation](doc/development/changelog.md) for instructions on adding your own documentation](doc/development/changelog.md) for instructions on adding your own
entry. entry.
## 11.0.4 (2018-07-17)
### Security (1 change)
- Fix symlink vulnerability in project import.
## 11.0.3 (2018-07-05) ## 11.0.3 (2018-07-05)
### Fixed (14 changes, 1 of them is from the community) ### Fixed (14 changes, 1 of them is from the community)
...@@ -295,6 +302,14 @@ entry. ...@@ -295,6 +302,14 @@ entry.
- Workhorse to send raw diff and patch for commits. - Workhorse to send raw diff and patch for commits.
## 10.8.6 (2018-07-17)
### Security (2 changes)
- Fix symlink vulnerability in project import.
- Merge branch 'fix-mr-widget-border' into 'master'.
## 10.8.5 (2018-06-21) ## 10.8.5 (2018-06-21)
### Security (5 changes) ### Security (5 changes)
...@@ -524,6 +539,13 @@ entry. ...@@ -524,6 +539,13 @@ entry.
- Gitaly handles repository forks by default. - Gitaly handles repository forks by default.
## 10.7.7 (2018-07-17)
### Security (1 change)
- Fix symlink vulnerability in project import.
## 10.7.6 (2018-06-21) ## 10.7.6 (2018-06-21)
### Security (6 changes) ### Security (6 changes)
......
---
title: Fix symlink vulnerability in project import
merge_request:
author:
type: security
...@@ -4,6 +4,7 @@ module Gitlab ...@@ -4,6 +4,7 @@ module Gitlab
include Gitlab::ImportExport::CommandLineUtil include Gitlab::ImportExport::CommandLineUtil
MAX_RETRIES = 8 MAX_RETRIES = 8
IGNORED_FILENAMES = %w(. ..).freeze
def self.import(*args) def self.import(*args)
new(*args).import new(*args).import
...@@ -59,7 +60,7 @@ module Gitlab ...@@ -59,7 +60,7 @@ module Gitlab
end end
def extracted_files def extracted_files
Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ %r{.*/\.{1,2}$} } Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| IGNORED_FILENAMES.include?(File.basename(f)) }
end end
end end
end end
......
...@@ -7,6 +7,7 @@ describe Gitlab::ImportExport::FileImporter do ...@@ -7,6 +7,7 @@ describe Gitlab::ImportExport::FileImporter do
let(:symlink_file) { "#{shared.export_path}/invalid.json" } let(:symlink_file) { "#{shared.export_path}/invalid.json" }
let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" } let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" } let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
let(:evil_symlink_file) { "#{shared.export_path}/.\nevil" }
before do before do
stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0) stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
...@@ -34,6 +35,10 @@ describe Gitlab::ImportExport::FileImporter do ...@@ -34,6 +35,10 @@ describe Gitlab::ImportExport::FileImporter do
expect(File.exist?(hidden_symlink_file)).to be false expect(File.exist?(hidden_symlink_file)).to be false
end end
it 'removes evil symlinks in root folder' do
expect(File.exist?(evil_symlink_file)).to be false
end
it 'removes symlinks in subfolders' do it 'removes symlinks in subfolders' do
expect(File.exist?(subfolder_symlink_file)).to be false expect(File.exist?(subfolder_symlink_file)).to be false
end end
...@@ -75,5 +80,7 @@ describe Gitlab::ImportExport::FileImporter do ...@@ -75,5 +80,7 @@ describe Gitlab::ImportExport::FileImporter do
FileUtils.touch(valid_file) FileUtils.touch(valid_file)
FileUtils.ln_s(valid_file, symlink_file) FileUtils.ln_s(valid_file, symlink_file)
FileUtils.ln_s(valid_file, subfolder_symlink_file) FileUtils.ln_s(valid_file, subfolder_symlink_file)
FileUtils.ln_s(valid_file, hidden_symlink_file)
FileUtils.ln_s(valid_file, evil_symlink_file)
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment