Merge branch 'ac/fix-path-traversal' into 'security-10-3'

[10.3] Fix path traversal in gitlab-ci.yml cache:key See merge request gitlab/gitlabhq!2270 (cherry picked from commit c32d0c6807dfd41d7838a35742e6d0986871b389) df29094a Fix path traversal in gitlab-ci.yml cache:key
author: Robert Speicher <robert@gitlab.com> 2018-01-03 18:00:36 +0000
committer: Stan Hu <stanhu@gmail.com> 2018-01-16 17:04:38 -0800
commit: 954a44574fd7a0be232a194d503032e16b8f3094 (patch)
tree: bb0315a9b8ddfb1d24725d783df8bbdc279d4e5a /spec
parent: 1f96512ba189d1eceb01353ca41c1cb6216d32c1 (diff)
download: gitlab-ce-954a44574fd7a0be232a194d503032e16b8f3094.tar.gz
1 files changed, 62 insertions, 0 deletions
diff --git a/spec/lib/gitlab/ci/config/entry/key_spec.rb b/spec/lib/gitlab/ci/config/entry/key_spec.rb
index 5d4de60bc8a..846f5f44470 100644
--- a/spec/lib/gitlab/ci/config/entry/key_spec.rb
+++ b/spec/lib/gitlab/ci/config/entry/key_spec.rb
@@ -4,6 +4,26 @@ describe Gitlab::Ci::Config::Entry::Key do
   let(:entry) { described_class.new(config) }
 
   describe 'validations' do
+    shared_examples 'key with slash' do
+      it 'is invalid' do
+        expect(entry).not_to be_valid
+      end
+
+      it 'reports errors with config value' do
+        expect(entry.errors).to  include 'key config cannot contain the "/" character'
+      end
+    end
+
+    shared_examples 'key with only dots' do
+      it 'is invalid' do
+        expect(entry).not_to be_valid
+      end
+
+      it 'reports errors with config value' do
+        expect(entry.errors).to  include 'key config cannot be "." or ".."'
+      end
+    end
+
     context 'when entry config value is correct' do
       let(:config) { 'test' }
 
@@ -30,6 +50,48 @@ describe Gitlab::Ci::Config::Entry::Key do
         end
       end
     end
+
+    context 'when entry value contains slash' do
+      let(:config) { 'key/with/some/slashes' }
+
+      it_behaves_like 'key with slash'
+    end
+
+    context 'when entry value contains URI encoded slash (%2F)' do
+      let(:config) { 'key%2Fwith%2Fsome%2Fslashes' }
+
+      it_behaves_like 'key with slash'
+    end
+
+    context 'when entry value is a dot' do
+      let(:config) { '.' }
+
+      it_behaves_like 'key with only dots'
+    end
+
+    context 'when entry value is two dots' do
+      let(:config) { '..' }
+
+      it_behaves_like 'key with only dots'
+    end
+
+    context 'when entry value is a URI encoded dot (%2E)' do
+      let(:config) { '%2e' }
+
+      it_behaves_like 'key with only dots'
+    end
+
+    context 'when entry value is two URI encoded dots (%2E)' do
+      let(:config) { '%2E%2e' }
+
+      it_behaves_like 'key with only dots'
+    end
+
+    context 'when entry value is one dot and one URI encoded dot' do
+      let(:config) { '.%2e' }
+
+      it_behaves_like 'key with only dots'
+    end
   end
 
   describe '.default' do
author	Robert Speicher <robert@gitlab.com>	2018-01-03 18:00:36 +0000
committer	Stan Hu <stanhu@gmail.com>	2018-01-16 17:04:38 -0800
commit	954a44574fd7a0be232a194d503032e16b8f3094 (patch)
tree	bb0315a9b8ddfb1d24725d783df8bbdc279d4e5a /spec
parent	1f96512ba189d1eceb01353ca41c1cb6216d32c1 (diff)
download	gitlab-ce-954a44574fd7a0be232a194d503032e16b8f3094.tar.gz