Validate LFS hrefs before downloading them

author: Nick Thomas <nick@gitlab.com> 2018-12-11 16:52:22 +0000
committer: Nick Thomas <nick@gitlab.com> 2018-12-11 18:13:44 +0000
commit: 3ee0710d1d47bec895568563aeca2d3b53bfa8ce (patch)
tree: ae3da1ed6baa1133114edc1bb887b63479f0ac31 /app/services/projects
parent: 18a48e348b83f66a1d108a2d6e38ac12c47dcef3 (diff)
download: gitlab-ce-3ee0710d1d47bec895568563aeca2d3b53bfa8ce.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/app/services/projects/lfs_pointers/lfs_download_service.rb b/app/services/projects/lfs_pointers/lfs_download_service.rb
index 1c4a8d05be6..f9b9781ad5f 100644
--- a/app/services/projects/lfs_pointers/lfs_download_service.rb
+++ b/app/services/projects/lfs_pointers/lfs_download_service.rb
@@ -4,6 +4,8 @@
 module Projects
   module LfsPointers
     class LfsDownloadService < BaseService
+      VALID_PROTOCOLS = %w[http https].freeze
+
       # rubocop: disable CodeReuse/ActiveRecord
       def execute(oid, url)
         return unless project&.lfs_enabled? && oid.present? && url.present?
@@ -11,6 +13,7 @@ module Projects
         return if LfsObject.exists?(oid: oid)
 
         sanitized_uri = Gitlab::UrlSanitizer.new(url)
+        Gitlab::UrlBlocker.validate!(sanitized_uri.sanitized_url, protocols: VALID_PROTOCOLS)
 
         with_tmp_file(oid) do |file|
           size = download_and_save_file(file, sanitized_uri)
author	Nick Thomas <nick@gitlab.com>	2018-12-11 16:52:22 +0000
committer	Nick Thomas <nick@gitlab.com>	2018-12-11 18:13:44 +0000
commit	3ee0710d1d47bec895568563aeca2d3b53bfa8ce (patch)
tree	ae3da1ed6baa1133114edc1bb887b63479f0ac31 /app/services/projects
parent	18a48e348b83f66a1d108a2d6e38ac12c47dcef3 (diff)
download	gitlab-ce-3ee0710d1d47bec895568563aeca2d3b53bfa8ce.tar.gz