diff options
| author | Stan Hu <stanhu@gmail.com> | 2018-10-23 14:59:00 -0700 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2018-10-23 20:47:38 -0700 |
| commit | a12d25d8a5e95ef868370e7c09e777237047366b (patch) | |
| tree | e9c7054cddccca198a8f09a79f1ed8990eb73331 /lib/api/wikis.rb | |
| parent | a310a638db037d3914cf12e580c7a41209d2d06e (diff) | |
| download | gitlab-ce-a12d25d8a5e95ef868370e7c09e777237047366b.tar.gz | |
Validate Wiki attachments are valid temporary files
A malicious attacker could craft a request to read arbitrary files on
the system. This change adds a Grape validation to ensure that the
tempfile parameter delivered by the Rack multipart uploader is a
Tempfile type to prevent users from being able to specify arbitrary
filenames.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/53072
Diffstat (limited to 'lib/api/wikis.rb')
| -rw-r--r-- | lib/api/wikis.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/api/wikis.rb b/lib/api/wikis.rb index 6e1d4eb335f..24746f4efc6 100644 --- a/lib/api/wikis.rb +++ b/lib/api/wikis.rb @@ -6,7 +6,7 @@ module API def commit_params(attrs) { file_name: attrs[:file][:filename], - file_content: File.read(attrs[:file][:tempfile]), + file_content: attrs[:file][:tempfile].read, branch_name: attrs[:branch] } end @@ -100,7 +100,7 @@ module API success Entities::WikiAttachment end params do - requires :file, type: File, desc: 'The attachment file to be uploaded' + requires :file, type: ::API::Validations::Types::SafeFile, desc: 'The attachment file to be uploaded' optional :branch, type: String, desc: 'The name of the branch' end post ":id/wikis/attachments", requirements: API::PROJECT_ENDPOINT_REQUIREMENTS do |