diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-01 22:56:42 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-01 22:56:42 +0000 |
| commit | 05aac11ac90b9157ea39944abfcf6be3fd8f9fb9 (patch) | |
| tree | 845215e22003e8f19a959bd526f3f5ef6ad81883 | |
| parent | d40003afdea391c2d1396f3ab6c78705fa6d2a79 (diff) | |
| download | gitlab-ce-05aac11ac90b9157ea39944abfcf6be3fd8f9fb9.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-3-stable-ee
3 files changed, 43 insertions, 0 deletions
diff --git a/app/services/projects/update_remote_mirror_service.rb b/app/services/projects/update_remote_mirror_service.rb index fe2610f89fb..7961f689259 100644 --- a/app/services/projects/update_remote_mirror_service.rb +++ b/app/services/projects/update_remote_mirror_service.rb @@ -7,6 +7,10 @@ module Projects def execute(remote_mirror, tries) return success unless remote_mirror.enabled? + if Gitlab::UrlBlocker.blocked_url?(CGI.unescape(Gitlab::UrlSanitizer.sanitize(remote_mirror.url))) + return error("The remote mirror URL is invalid.") + end + update_mirror(remote_mirror) success diff --git a/changelogs/unreleased/215879-check-validity-of-repository-mirror-urls.yml b/changelogs/unreleased/215879-check-validity-of-repository-mirror-urls.yml new file mode 100644 index 00000000000..0117d6a3ccf --- /dev/null +++ b/changelogs/unreleased/215879-check-validity-of-repository-mirror-urls.yml @@ -0,0 +1,5 @@ +--- +title: Check validity of project's import_url before mirroring repository +merge_request: +author: +type: security diff --git a/spec/services/projects/update_remote_mirror_service_spec.rb b/spec/services/projects/update_remote_mirror_service_spec.rb index 09244db8010..6785b71fcc0 100644 --- a/spec/services/projects/update_remote_mirror_service_spec.rb +++ b/spec/services/projects/update_remote_mirror_service_spec.rb @@ -56,6 +56,40 @@ RSpec.describe Projects::UpdateRemoteMirrorService do expect(remote_mirror.last_error).to include('Badly broken') end + context 'when the URL is blocked' do + before do + allow(Gitlab::UrlBlocker).to receive(:blocked_url?).and_return(true) + end + + it 'fails and returns error status' do + expect(execute!).to eq(status: :error, message: 'The remote mirror URL is invalid.') + end + end + + context "when given URLs containing escaped elements" do + using RSpec::Parameterized::TableSyntax + + where(:url, :result_status) do + "https://user:0a%23@test.example.com/project.git" | :success + "https://git.example.com:1%2F%2F@source.developers.google.com/project.git" | :success + CGI.escape("git://localhost:1234/some-path?some-query=some-val\#@example.com/") | :error + CGI.escape(CGI.escape("https://user:0a%23@test.example.com/project.git")) | :error + end + + with_them do + before do + allow(remote_mirror).to receive(:url).and_return(url) + allow(service).to receive(:update_mirror).with(remote_mirror).and_return(true) + end + + it "returns expected status" do + result = execute! + + expect(result[:status]).to eq(result_status) + end + end + end + context 'when the update fails because of a `Gitlab::Git::CommandError`' do before do allow(remote_mirror).to receive(:update_repository) |