Commit df411486 authored by Grzegorz Bizon's avatar Grzegorz Bizon

Improve path sanitization in `StringPath`

parent a3191463
...@@ -352,15 +352,15 @@ module Ci ...@@ -352,15 +352,15 @@ module Ci
def artifacts_metadata_for_path(path) def artifacts_metadata_for_path(path)
return [] unless artifacts_metadata.exists? return [] unless artifacts_metadata.exists?
paths, metadata = [], [] paths, metadata = [], []
meta_path = path.sub(/^\.\//, '')
metadata_path = path.sub(/^\.\//, '')
File.open(artifacts_metadata.path) do |file| File.open(artifacts_metadata.path) do |file|
gzip = Zlib::GzipReader.new(file) gzip = Zlib::GzipReader.new(file)
gzip.each_line do |line| gzip.each_line do |line|
if line =~ %r{^#{meta_path}[^/]+/?\s} if line =~ %r{^#{Regexp.escape(metadata_path)}[^/\s]+/?\s}
path, meta = line.split(' ') matched_path, matched_meta = line.split(' ')
paths << path paths << matched_path
metadata << JSON.parse(meta) metadata << JSON.parse(matched_meta)
end end
end end
gzip.close gzip.close
......
...@@ -57,7 +57,7 @@ module Gitlab ...@@ -57,7 +57,7 @@ module Gitlab
def descendants def descendants
return [] unless directory? return [] unless directory?
select { |entry| entry =~ /^#{@path}.+/ } select { |entry| entry =~ /^#{Regexp.escape(@path)}.+/ }
end end
def children def children
...@@ -65,7 +65,7 @@ module Gitlab ...@@ -65,7 +65,7 @@ module Gitlab
return @children if @children return @children if @children
@children = select do |entry| @children = select do |entry|
self.class.child?(@path, entry) entry =~ %r{^#{Regexp.escape(@path)}[^/\s]+/?$}
end end
end end
...@@ -75,7 +75,7 @@ module Gitlab ...@@ -75,7 +75,7 @@ module Gitlab
end end
def directories! def directories!
has_parent? ? directories.prepend(new(@path + '../')) : directories has_parent? ? directories.prepend(parent) : directories
end end
def files def files
...@@ -115,13 +115,12 @@ module Gitlab ...@@ -115,13 +115,12 @@ module Gitlab
# It looks like Pathname#new doesn't touch a file system, # It looks like Pathname#new doesn't touch a file system,
# neither Pathname#cleanpath does, so it is, hopefully, filesystem safe # neither Pathname#cleanpath does, so it is, hopefully, filesystem safe
clean = Pathname.new(path).cleanpath.to_s clean_path = Pathname.new(path).cleanpath.to_s
raise ArgumentError, 'Invalid path' if clean.start_with?('../') raise ArgumentError, 'Invalid path' if clean_path.start_with?('../')
clean + (path.end_with?('/') ? '/' : '')
end
def self.child?(path, entry) prefix = './' unless clean_path =~ %r{^[\.|/]}
entry =~ %r{^#{path}[^/\s]+/?$} suffix = '/' if path.end_with?('/') || clean_path =~ /^[\.|\.\.]$/
prefix.to_s + clean_path + suffix.to_s
end end
end end
end end
...@@ -45,7 +45,6 @@ describe Gitlab::StringPath do ...@@ -45,7 +45,6 @@ describe Gitlab::StringPath do
it { is_expected.to be_directory } it { is_expected.to be_directory }
it { is_expected.to be_relative } it { is_expected.to be_relative }
it { is_expected.to have_parent }
end end
describe 'path/dir_1/', path: 'path/dir_1/' do describe 'path/dir_1/', path: 'path/dir_1/' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment