summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorKamil Trzciński <ayufan@ayufan.eu>2018-07-09 15:07:26 +0000
committerKamil Trzciński <ayufan@ayufan.eu>2018-07-09 15:07:26 +0000
commite8d7b283be1b9bb636e769908c2d9e603f3aa679 (patch)
treebafbe8a56b5cb1a123228a854a9a189b05e094e9 /spec
parent2b4509c4a45d8c02d89fa48bb24e50c20e51b40c (diff)
parent6b2ebea7dc036c2b21bd47f2955639f9b257b568 (diff)
downloadgitlab-ce-e8d7b283be1b9bb636e769908c2d9e603f3aa679.tar.gz
Merge branch 'jprovazn-upload-symlink' into 'master'
Add FileUploader.root to allowed upload paths Closes gitlab-qa#291 See merge request gitlab-org/gitlab-ce!20472
Diffstat (limited to 'spec')
-rw-r--r--spec/lib/gitlab/middleware/multipart_spec.rb27
1 files changed, 27 insertions, 0 deletions
diff --git a/spec/lib/gitlab/middleware/multipart_spec.rb b/spec/lib/gitlab/middleware/multipart_spec.rb
index b4837a1689a..f788f8ee276 100644
--- a/spec/lib/gitlab/middleware/multipart_spec.rb
+++ b/spec/lib/gitlab/middleware/multipart_spec.rb
@@ -75,6 +75,33 @@ describe Gitlab::Middleware::Multipart do
it_behaves_like 'multipart upload files'
end
+ it 'allows symlinks for uploads dir' do
+ Tempfile.open('two-levels') do |tempfile|
+ symlinked_dir = '/some/dir/uploads'
+ symlinked_path = File.join(symlinked_dir, File.basename(tempfile.path))
+ env = post_env({ 'file' => symlinked_path }, { 'file.name' => original_filename, 'file.path' => symlinked_path }, Gitlab::Workhorse.secret, 'gitlab-workhorse')
+
+ allow(FileUploader).to receive(:root).and_return(symlinked_dir)
+ allow(UploadedFile).to receive(:allowed_paths).and_return([symlinked_dir, Gitlab.config.uploads.storage_path])
+ allow(File).to receive(:realpath).and_call_original
+ allow(File).to receive(:realpath).with(symlinked_dir).and_return(Dir.tmpdir)
+ allow(File).to receive(:realpath).with(symlinked_path).and_return(tempfile.path)
+ allow(File).to receive(:exist?).and_call_original
+ allow(File).to receive(:exist?).with(symlinked_dir).and_return(true)
+
+ # override Dir.tmpdir because this dir is in the list of allowed paths
+ # and it would match FileUploader.root path (which in this test is linked
+ # to /tmp too)
+ allow(Dir).to receive(:tmpdir).and_return(File.join(Dir.tmpdir, 'tmpsubdir'))
+
+ expect(app).to receive(:call) do |env|
+ expect(Rack::Request.new(env).params['file']).to be_a(::UploadedFile)
+ end
+
+ middleware.call(env)
+ end
+ end
+
def post_env(rewritten_fields, params, secret, issuer)
token = JWT.encode({ 'iss' => issuer, 'rewritten_fields' => rewritten_fields }, secret, 'HS256')
Rack::MockRequest.env_for(