Fix path disclosure on Project Import

2 files changed, 32 insertions, 1 deletions

diff --git a/spec/lib/gitlab/import_export/shared_spec.rb b/spec/lib/gitlab/import_export/shared_spec.rb
new file mode 100644
index 00000000000..f2d750c6595
--- /dev/null
+++ b/spec/lib/gitlab/import_export/shared_spec.rb
@@ -0,0 +1,31 @@
+require 'spec_helper'
+require 'fileutils'
+
+describe Gitlab::ImportExport::Shared do
+  let(:project) { build(:project) }
+  subject { project.import_export_shared }
+
+  describe '#error' do
+    let(:error) { StandardError.new('Error importing into /my/folder Permission denied @ unlink_internal - /var/opt/gitlab/gitlab-rails/shared/a/b/c/uploads/file') }
+
+    it 'filters any full paths' do
+      subject.error(error)
+
+      expect(subject.errors).to eq(['Error importing into [FILTERED] Permission denied @ unlink_internal - [FILTERED]'])
+    end
+
+    it 'calls the error logger with the full message' do
+      expect(subject).to receive(:log_error).with(hash_including(message: error.message))
+
+      subject.error(error)
+    end
+
+    it 'calls the debug logger with a backtrace' do
+      error.set_backtrace('backtrace')
+
+      expect(subject).to receive(:log_debug).with(hash_including(backtrace: 'backtrace'))
+
+      subject.error(error)
+    end
+  end
+end
diff --git a/spec/lib/gitlab/import_export/version_checker_spec.rb b/spec/lib/gitlab/import_export/version_checker_spec.rb
index 49d857d9483..76f8253ec9b 100644
--- a/spec/lib/gitlab/import_export/version_checker_spec.rb
+++ b/spec/lib/gitlab/import_export/version_checker_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'
 include ImportExport::CommonUtil
 
 describe Gitlab::ImportExport::VersionChecker do
-  let(:shared) { Gitlab::ImportExport::Shared.new(nil) }
+  let!(:shared) { Gitlab::ImportExport::Shared.new(nil) }
 
   describe 'bundle a project Git repo' do
     let(:version) { Gitlab::ImportExport.version }