Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq into jivl-dev-master-into-com-masterjivl-dev-master-into-com-master

4 files changed, 36 insertions, 1 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e90f599ced1..e1a6a014c57 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 11.0.4 (2018-07-17)
+
+### Security (1 change)
+
+- Fix symlink vulnerability in project import.
+
+
 ## 11.0.3 (2018-07-05)
 
 ### Fixed (14 changes, 1 of them is from the community)
@@ -295,6 +302,14 @@ entry.
 - Workhorse to send raw diff and patch for commits.
 
 
+## 10.8.6 (2018-07-17)
+
+### Security (2 changes)
+
+- Fix symlink vulnerability in project import.
+- Merge branch 'fix-mr-widget-border' into 'master'.
+
+
 ## 10.8.5 (2018-06-21)
 
 ### Security (5 changes)
@@ -524,6 +539,13 @@ entry.
 - Gitaly handles repository forks by default.
 
 
+## 10.7.7 (2018-07-17)
+
+### Security (1 change)
+
+- Fix symlink vulnerability in project import.
+
+
 ## 10.7.6 (2018-06-21)
 
 ### Security (6 changes)
diff --git a/changelogs/unreleased/sh-fix-issue-49133.yml b/changelogs/unreleased/sh-fix-issue-49133.yml
new file mode 100644
index 00000000000..847220d88b2
--- /dev/null
+++ b/changelogs/unreleased/sh-fix-issue-49133.yml
@@ -0,0 +1,5 @@
+---
+title: Fix symlink vulnerability in project import
+merge_request:
+author:
+type: security
diff --git a/lib/gitlab/import_export/file_importer.rb b/lib/gitlab/import_export/file_importer.rb
index 0f4c3498036..4c411f4847e 100644
--- a/lib/gitlab/import_export/file_importer.rb
+++ b/lib/gitlab/import_export/file_importer.rb
@@ -4,6 +4,7 @@ module Gitlab
       include Gitlab::ImportExport::CommandLineUtil
 
       MAX_RETRIES = 8
+      IGNORED_FILENAMES = %w(. ..).freeze
 
       def self.import(*args)
         new(*args).import
@@ -59,7 +60,7 @@ module Gitlab
       end
 
       def extracted_files
-        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ %r{.*/\.{1,2}$} }
+        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| IGNORED_FILENAMES.include?(File.basename(f)) }
       end
     end
   end
diff --git a/spec/lib/gitlab/import_export/file_importer_spec.rb b/spec/lib/gitlab/import_export/file_importer_spec.rb
index 58b9fb06cc5..265937f899e 100644
--- a/spec/lib/gitlab/import_export/file_importer_spec.rb
+++ b/spec/lib/gitlab/import_export/file_importer_spec.rb
@@ -7,6 +7,7 @@ describe Gitlab::ImportExport::FileImporter do
   let(:symlink_file) { "#{shared.export_path}/invalid.json" }
   let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
   let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
+  let(:evil_symlink_file) { "#{shared.export_path}/.\nevil" }
 
   before do
     stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
@@ -34,6 +35,10 @@ describe Gitlab::ImportExport::FileImporter do
       expect(File.exist?(hidden_symlink_file)).to be false
     end
 
+    it 'removes evil symlinks in root folder' do
+      expect(File.exist?(evil_symlink_file)).to be false
+    end
+
     it 'removes symlinks in subfolders' do
       expect(File.exist?(subfolder_symlink_file)).to be false
     end
@@ -75,5 +80,7 @@ describe Gitlab::ImportExport::FileImporter do
     FileUtils.touch(valid_file)
     FileUtils.ln_s(valid_file, symlink_file)
     FileUtils.ln_s(valid_file, subfolder_symlink_file)
+    FileUtils.ln_s(valid_file, hidden_symlink_file)
+    FileUtils.ln_s(valid_file, evil_symlink_file)
   end
 end