diff options
author | Nick Thomas <nick@gitlab.com> | 2018-12-11 16:52:22 +0000 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2018-12-11 18:13:44 +0000 |
commit | 3ee0710d1d47bec895568563aeca2d3b53bfa8ce (patch) | |
tree | ae3da1ed6baa1133114edc1bb887b63479f0ac31 /app/services/projects | |
parent | 18a48e348b83f66a1d108a2d6e38ac12c47dcef3 (diff) | |
download | gitlab-ce-3ee0710d1d47bec895568563aeca2d3b53bfa8ce.tar.gz |
Validate LFS hrefs before downloading them
Diffstat (limited to 'app/services/projects')
-rw-r--r-- | app/services/projects/lfs_pointers/lfs_download_service.rb | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/app/services/projects/lfs_pointers/lfs_download_service.rb b/app/services/projects/lfs_pointers/lfs_download_service.rb index 1c4a8d05be6..f9b9781ad5f 100644 --- a/app/services/projects/lfs_pointers/lfs_download_service.rb +++ b/app/services/projects/lfs_pointers/lfs_download_service.rb @@ -4,6 +4,8 @@ module Projects module LfsPointers class LfsDownloadService < BaseService + VALID_PROTOCOLS = %w[http https].freeze + # rubocop: disable CodeReuse/ActiveRecord def execute(oid, url) return unless project&.lfs_enabled? && oid.present? && url.present? @@ -11,6 +13,7 @@ module Projects return if LfsObject.exists?(oid: oid) sanitized_uri = Gitlab::UrlSanitizer.new(url) + Gitlab::UrlBlocker.validate!(sanitized_uri.sanitized_url, protocols: VALID_PROTOCOLS) with_tmp_file(oid) do |file| size = download_and_save_file(file, sanitized_uri) |