diff options
| author | DJ Mountney <dj@gitlab.com> | 2017-04-05 21:55:19 +0000 |
|---|---|---|
| committer | DJ Mountney <david@twkie.net> | 2017-04-05 16:13:36 -0700 |
| commit | c4b71fc42f6813d1b98647d961eca3c8a63a9752 (patch) | |
| tree | c2b18349103422a6e89520db3d65aaddc6a312b7 | |
| parent | aa21d8cca1a36dddf32ee9beebe6a141c3954f61 (diff) | |
| download | gitlab-ce-c4b71fc42f6813d1b98647d961eca3c8a63a9752.tar.gz | |
Merge branch 'path-disclosure-proj-import-export' into 'security'
Fix for path disclosure in project import/export
See merge request !2080
| -rw-r--r-- | app/helpers/projects_helper.rb | 5 | ||||
| -rw-r--r-- | changelogs/unreleased/file-import-export-path-disclosure.yml | 5 | ||||
| -rw-r--r-- | spec/helpers/projects_helper_spec.rb | 8 |
3 files changed, 17 insertions, 1 deletions
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb index eb98204285d..31514964749 100644 --- a/app/helpers/projects_helper.rb +++ b/app/helpers/projects_helper.rb @@ -391,7 +391,10 @@ module ProjectsHelper def sanitize_repo_path(project, message) return '' unless message.present? - message.strip.gsub(project.repository_storage_path.chomp('/'), "[REPOS PATH]") + exports_path = File.join(Settings.shared['path'], 'tmp/project_exports') + filtered_message = message.strip.gsub(exports_path, "[REPO EXPORT PATH]") + + filtered_message.gsub(project.repository_storage_path.chomp('/'), "[REPOS PATH]") end def project_feature_options diff --git a/changelogs/unreleased/file-import-export-path-disclosure.yml b/changelogs/unreleased/file-import-export-path-disclosure.yml new file mode 100644 index 00000000000..1a297d07187 --- /dev/null +++ b/changelogs/unreleased/file-import-export-path-disclosure.yml @@ -0,0 +1,5 @@ +--- +title: Fix path disclosure in project import/export +merge_request: +author: + diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb index aca0bb1d794..40cc9dc18f4 100644 --- a/spec/helpers/projects_helper_spec.rb +++ b/spec/helpers/projects_helper_spec.rb @@ -127,6 +127,7 @@ describe ProjectsHelper do before do allow(project).to receive(:repository_storage_path).and_return('/base/repo/path') + allow(Settings.shared).to receive(:[]).with('path').and_return('/base/repo/export/path') end it 'removes the repo path' do @@ -135,6 +136,13 @@ describe ProjectsHelper do expect(sanitize_repo_path(project, import_error)).to eq('Could not clone [REPOS PATH]/namespace/test.git') end + + it 'removes the temporary repo path used for uploads/exports' do + repo = '/base/repo/export/path/tmp/project_exports/uploads/test.tar.gz' + import_error = "Unable to decompress #{repo}\n" + + expect(sanitize_repo_path(project, import_error)).to eq('Unable to decompress [REPO EXPORT PATH]/uploads/test.tar.gz') + end end describe '#last_push_event' do |