diff options
author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-11-20 10:21:45 +0200 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-11-20 10:21:45 +0200 |
commit | 3f3b202c6efa17a8e6731ba44c5f3bf672c28672 (patch) | |
tree | d2e4794a8e5d1600b5fd4063484926d943df3b6e /lib | |
parent | a1d88f0fede0fc34aec671318d3f02b78e776bb4 (diff) | |
download | gitlab-ce-3f3b202c6efa17a8e6731ba44c5f3bf672c28672.tar.gz |
Improve files API. Relative path check added. Create dir for new file if missing
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/satellite/files/delete_file_action.rb | 7 | ||||
-rw-r--r-- | lib/gitlab/satellite/files/edit_file_action.rb | 7 | ||||
-rw-r--r-- | lib/gitlab/satellite/files/file_action.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/satellite/files/new_file_action.rb | 10 |
4 files changed, 25 insertions, 3 deletions
diff --git a/lib/gitlab/satellite/files/delete_file_action.rb b/lib/gitlab/satellite/files/delete_file_action.rb index 10d23f7c243..30462999aa3 100644 --- a/lib/gitlab/satellite/files/delete_file_action.rb +++ b/lib/gitlab/satellite/files/delete_file_action.rb @@ -17,6 +17,13 @@ module Gitlab # update the file in the satellite's working dir file_path_in_satellite = File.join(repo.working_dir, file_path) + + # Prevent relative links + unless safe_path?(file_path_in_satellite) + Gitlab::GitLogger.error("FileAction: Relative path not allowed") + return false + end + File.delete(file_path_in_satellite) # add removed file diff --git a/lib/gitlab/satellite/files/edit_file_action.rb b/lib/gitlab/satellite/files/edit_file_action.rb index ee9d31ed129..f410ecb7984 100644 --- a/lib/gitlab/satellite/files/edit_file_action.rb +++ b/lib/gitlab/satellite/files/edit_file_action.rb @@ -19,6 +19,13 @@ module Gitlab # update the file in the satellite's working dir file_path_in_satellite = File.join(repo.working_dir, file_path) + + # Prevent relative links + unless safe_path?(file_path_in_satellite) + Gitlab::GitLogger.error("FileAction: Relative path not allowed") + return false + end + File.open(file_path_in_satellite, 'w') { |f| f.write(content) } # commit the changes diff --git a/lib/gitlab/satellite/files/file_action.rb b/lib/gitlab/satellite/files/file_action.rb index 7c08e292192..0f7afde647d 100644 --- a/lib/gitlab/satellite/files/file_action.rb +++ b/lib/gitlab/satellite/files/file_action.rb @@ -8,6 +8,10 @@ module Gitlab @file_path = file_path @ref = ref end + + def safe_path?(path) + File.absolute_path(path) == path + end end end end diff --git a/lib/gitlab/satellite/files/new_file_action.rb b/lib/gitlab/satellite/files/new_file_action.rb index 91f7175c2ac..57d101ff535 100644 --- a/lib/gitlab/satellite/files/new_file_action.rb +++ b/lib/gitlab/satellite/files/new_file_action.rb @@ -16,15 +16,19 @@ module Gitlab # create target branch in satellite at the corresponding commit from bare repo repo.git.checkout({raise: true, timeout: true, b: true}, ref, "origin/#{ref}") - # update the file in the satellite's working dir file_path_in_satellite = File.join(repo.working_dir, file_path) + dir_name_in_satellite = File.dirname(file_path_in_satellite) # Prevent relative links - unless File.absolute_path(file_path_in_satellite) == file_path_in_satellite - Gitlab::GitLogger.error("NewFileAction: Relative path not allowed") + unless safe_path?(file_path_in_satellite) + Gitlab::GitLogger.error("FileAction: Relative path not allowed") return false end + # Create dir if not exists + FileUtils.mkdir_p(dir_name_in_satellite) + + # Write file File.open(file_path_in_satellite, 'w') { |f| f.write(content) } # add new file |