diff options
author | James Lopez <james@gitlab.com> | 2018-01-08 15:42:41 +0000 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2018-01-16 17:04:51 -0800 |
commit | 532a0b60184800b0442723498d5257c20d20a8aa (patch) | |
tree | 50244d4e6b32983e0f960d9c2ee0e9e6ff295329 /lib | |
parent | 791ca43f3f8f12451ee1e70efc90f5d82347af93 (diff) | |
download | gitlab-ce-532a0b60184800b0442723498d5257c20d20a8aa.tar.gz |
Merge branch 'fix/import-rce-10-3' into 'security-10-3'
[10.3] Fix RCE via project import mechanism
See merge request gitlab/gitlabhq!2294
(cherry picked from commit dcfec507d6f9ee119d65a832393e7c593af1d3b2)
86d75812 Fix RCE via project import mechanism
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/import_export/file_importer.rb | 6 | ||||
-rw-r--r-- | lib/gitlab/import_export/saver.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/import_export/shared.rb | 14 |
3 files changed, 19 insertions, 3 deletions
diff --git a/lib/gitlab/import_export/file_importer.rb b/lib/gitlab/import_export/file_importer.rb index 989342389bc..5c971564a73 100644 --- a/lib/gitlab/import_export/file_importer.rb +++ b/lib/gitlab/import_export/file_importer.rb @@ -17,12 +17,16 @@ module Gitlab def import mkdir_p(@shared.export_path) + remove_symlinks! + wait_for_archived_file do decompress_archive end rescue => e @shared.error(e) false + ensure + remove_symlinks! end private @@ -43,7 +47,7 @@ module Gitlab raise Projects::ImportService::Error.new("Unable to decompress #{@archive_file} into #{@shared.export_path}") unless result - remove_symlinks! + result end def remove_symlinks! diff --git a/lib/gitlab/import_export/saver.rb b/lib/gitlab/import_export/saver.rb index 6130c124dd1..2daeba90a51 100644 --- a/lib/gitlab/import_export/saver.rb +++ b/lib/gitlab/import_export/saver.rb @@ -37,7 +37,7 @@ module Gitlab end def archive_file - @archive_file ||= File.join(@shared.export_path, '..', Gitlab::ImportExport.export_filename(project: @project)) + @archive_file ||= File.join(@shared.archive_path, Gitlab::ImportExport.export_filename(project: @project)) end end end diff --git a/lib/gitlab/import_export/shared.rb b/lib/gitlab/import_export/shared.rb index 9fd0b709ef2..d03cbc880fd 100644 --- a/lib/gitlab/import_export/shared.rb +++ b/lib/gitlab/import_export/shared.rb @@ -9,7 +9,11 @@ module Gitlab end def export_path - @export_path ||= Gitlab::ImportExport.export_path(relative_path: opts[:relative_path]) + @export_path ||= Gitlab::ImportExport.export_path(relative_path: relative_path) + end + + def archive_path + @archive_path ||= Gitlab::ImportExport.export_path(relative_path: relative_archive_path) end def error(error) @@ -21,6 +25,14 @@ module Gitlab private + def relative_path + File.join(opts[:relative_path], SecureRandom.hex) + end + + def relative_archive_path + File.join(opts[:relative_path], '..') + end + def error_out(message, caller) Rails.logger.error("Import/Export error raised on #{caller}: #{message}") end |