diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:44:28 +0000 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:44:30 +0000 |
| commit | 09c2d94f2b87f3c281d08c27af64bb217fb741ef (patch) | |
| tree | 1400da2cdfd2dd0228160172995839192ea9da95 | |
| parent | 1d9280e16514e01f02674591634befb8f765e858 (diff) | |
| download | gitlab-ce-09c2d94f2b87f3c281d08c27af64bb217fb741ef.tar.gz | |
Merge branch 'security-2767-verify-lfs-finalize-from-workhorse-11-7' into 'security-11-7'
[11.7] Verify that LFS upload requests are genuine
See merge request gitlab/gitlabhq!2862
(cherry picked from commit 54f089a47ef1706edc809ac90cbd6ef889de4e5e)
006f5e6b Verify that LFS upload requests are genuine
| -rw-r--r-- | GITLAB_WORKHORSE_VERSION | 2 | ||||
| -rw-r--r-- | app/controllers/projects/lfs_storage_controller.rb | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml | 5 | ||||
| -rw-r--r-- | spec/requests/lfs_http_spec.rb | 23 |
4 files changed, 25 insertions, 7 deletions
diff --git a/GITLAB_WORKHORSE_VERSION b/GITLAB_WORKHORSE_VERSION index ae9a76b9249..cd1d2e94f31 100644 --- a/GITLAB_WORKHORSE_VERSION +++ b/GITLAB_WORKHORSE_VERSION @@ -1 +1 @@ -8.0.0 +8.0.1 diff --git a/app/controllers/projects/lfs_storage_controller.rb b/app/controllers/projects/lfs_storage_controller.rb index babeee48ef3..013e01b82aa 100644 --- a/app/controllers/projects/lfs_storage_controller.rb +++ b/app/controllers/projects/lfs_storage_controller.rb @@ -5,7 +5,7 @@ class Projects::LfsStorageController < Projects::GitHttpClientController include WorkhorseRequest include SendFileUpload - skip_before_action :verify_workhorse_api!, only: [:download, :upload_finalize] + skip_before_action :verify_workhorse_api!, only: :download def download lfs_object = LfsObject.find_by_oid(oid) diff --git a/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml b/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml new file mode 100644 index 00000000000..e79e3263df7 --- /dev/null +++ b/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml @@ -0,0 +1,5 @@ +--- +title: Verify that LFS upload requests are genuine +merge_request: +author: +type: security diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb index f1514e90eb2..1781759c54b 100644 --- a/spec/requests/lfs_http_spec.rb +++ b/spec/requests/lfs_http_spec.rb @@ -1086,6 +1086,12 @@ describe 'Git LFS API and storage' do end end + context 'and request to finalize the upload is not sent by gitlab-workhorse' do + it 'fails with a JWT decode error' do + expect { put_finalize(lfs_tmp_file, verified: false) }.to raise_error(JWT::DecodeError) + end + end + context 'and workhorse requests upload finalize for a new lfs object' do before do lfs_object.destroy @@ -1347,9 +1353,13 @@ describe 'Git LFS API and storage' do context 'when pushing the same lfs object to the second project' do before do + finalize_headers = headers + .merge('X-Gitlab-Lfs-Tmp' => lfs_tmp_file) + .merge(workhorse_internal_api_request_header) + put "#{second_project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", params: {}, - headers: headers.merge('X-Gitlab-Lfs-Tmp' => lfs_tmp_file).compact + headers: finalize_headers end it 'responds with status 200' do @@ -1370,7 +1380,7 @@ describe 'Git LFS API and storage' do put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}/authorize", params: {}, headers: authorize_headers end - def put_finalize(lfs_tmp = lfs_tmp_file, with_tempfile: false, args: {}) + def put_finalize(lfs_tmp = lfs_tmp_file, with_tempfile: false, verified: true, args: {}) upload_path = LfsObjectUploader.workhorse_local_upload_path file_path = upload_path + '/' + lfs_tmp if lfs_tmp @@ -1384,11 +1394,14 @@ describe 'Git LFS API and storage' do 'file.name' => File.basename(file_path) } - put_finalize_with_args(args.merge(extra_args).compact) + put_finalize_with_args(args.merge(extra_args).compact, verified: verified) end - def put_finalize_with_args(args) - put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", params: args, headers: headers + def put_finalize_with_args(args, verified:) + finalize_headers = headers + finalize_headers.merge!(workhorse_internal_api_request_header) if verified + + put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", params: args, headers: finalize_headers end def lfs_tmp_file |