diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-24 14:36:00 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-24 14:36:00 +0000 |
| commit | 6632798905a6d28db587e2daccad0c0b9f38a7fd (patch) | |
| tree | 6c860d1a6efeb850f945ecdc9079c525191cf501 | |
| parent | bae12f7577222ffe59346ec4cd221340f56bf2e6 (diff) | |
| download | gitlab-ce-6632798905a6d28db587e2daccad0c0b9f38a7fd.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@12-7-stable-ee
| -rw-r--r-- | changelogs/unreleased/security-ssrf-attachment-url.yml | 5 | ||||
| -rw-r--r-- | lib/gitlab/import_export/attribute_cleaner.rb | 9 | ||||
| -rw-r--r-- | spec/lib/gitlab/import_export/attribute_cleaner_spec.rb | 3 |
3 files changed, 16 insertions, 1 deletions
diff --git a/changelogs/unreleased/security-ssrf-attachment-url.yml b/changelogs/unreleased/security-ssrf-attachment-url.yml new file mode 100644 index 00000000000..bb5e3e54574 --- /dev/null +++ b/changelogs/unreleased/security-ssrf-attachment-url.yml @@ -0,0 +1,5 @@ +--- +title: Exclude Carrierwave remote URL methods from import +merge_request: +author: +type: security diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb index d1c20dff799..4c32d0c958a 100644 --- a/lib/gitlab/import_export/attribute_cleaner.rb +++ b/lib/gitlab/import_export/attribute_cleaner.rb @@ -11,7 +11,14 @@ module Gitlab 'discussion_id', 'custom_attributes' ].freeze - PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze + PROHIBITED_REFERENCES = Regexp.union( + /\Acached_markdown_version\Z/, + /_id\Z/, + /_ids\Z/, + /_html\Z/, + /attributes/, + /\Aremote_\w+_(url|urls|request_header)\Z/ # carrierwave automatically creates these attribute methods for uploads + ).freeze def self.clean(*args) new(*args).clean diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb index 12857f97f7c..65e99c0c3b8 100644 --- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb +++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb @@ -32,6 +32,9 @@ describe Gitlab::ImportExport::AttributeCleaner do 'issue_ids' => [1, 2, 3], 'merge_request_ids' => [1, 2, 3], 'note_ids' => [1, 2, 3], + 'remote_attachment_url' => 'http://something.dodgy', + 'remote_attachment_request_header' => 'bad value', + 'remote_attachment_urls' => %w(http://something.dodgy http://something.okay), 'attributes' => { 'issue_ids' => [1, 2, 3], 'merge_request_ids' => [1, 2, 3], |