Merge branch 'ac/fix-path-traversal' into 'security-10-3'

[10.3] Fix path traversal in gitlab-ci.yml cache:key See merge request gitlab/gitlabhq!2270 (cherry picked from commit c32d0c6807dfd41d7838a35742e6d0986871b389) df29094a Fix path traversal in gitlab-ci.yml cache:key
author: Robert Speicher <robert@gitlab.com> 2018-01-03 18:00:36 +0000
committer: Rémy Coutable <remy@rymai.me> 2018-01-15 11:23:06 +0100
commit: 6ea4cdcc41e6382e22732119c930b689f5bcdb94 (patch)
tree: 58b9794d0ec2d5b5ab3f5ad262c64ca6093ec481 /spec
parent: 69c0d7494df25c872411af903f453819ff944dac (diff)
download: gitlab-ce-6ea4cdcc41e6382e22732119c930b689f5bcdb94.tar.gz
1 files changed, 62 insertions, 0 deletions
diff --git a/spec/lib/gitlab/ci/config/entry/key_spec.rb b/spec/lib/gitlab/ci/config/entry/key_spec.rb
index 5d4de60bc8a..846f5f44470 100644
--- a/spec/lib/gitlab/ci/config/entry/key_spec.rb
+++ b/spec/lib/gitlab/ci/config/entry/key_spec.rb
@@ -4,6 +4,26 @@ describe Gitlab::Ci::Config::Entry::Key do
   let(:entry) { described_class.new(config) }
 
   describe 'validations' do
+    shared_examples 'key with slash' do
+      it 'is invalid' do
+        expect(entry).not_to be_valid
+      end
+
+      it 'reports errors with config value' do
+        expect(entry.errors).to  include 'key config cannot contain the "/" character'
+      end
+    end
+
+    shared_examples 'key with only dots' do
+      it 'is invalid' do
+        expect(entry).not_to be_valid
+      end
+
+      it 'reports errors with config value' do
+        expect(entry.errors).to  include 'key config cannot be "." or ".."'
+      end
+    end
+
     context 'when entry config value is correct' do
       let(:config) { 'test' }
 
@@ -30,6 +50,48 @@ describe Gitlab::Ci::Config::Entry::Key do
         end
       end
     end
+
+    context 'when entry value contains slash' do
+      let(:config) { 'key/with/some/slashes' }
+
+      it_behaves_like 'key with slash'
+    end
+
+    context 'when entry value contains URI encoded slash (%2F)' do
+      let(:config) { 'key%2Fwith%2Fsome%2Fslashes' }
+
+      it_behaves_like 'key with slash'
+    end
+
+    context 'when entry value is a dot' do
+      let(:config) { '.' }
+
+      it_behaves_like 'key with only dots'
+    end
+
+    context 'when entry value is two dots' do
+      let(:config) { '..' }
+
+      it_behaves_like 'key with only dots'
+    end
+
+    context 'when entry value is a URI encoded dot (%2E)' do
+      let(:config) { '%2e' }
+
+      it_behaves_like 'key with only dots'
+    end
+
+    context 'when entry value is two URI encoded dots (%2E)' do
+      let(:config) { '%2E%2e' }
+
+      it_behaves_like 'key with only dots'
+    end
+
+    context 'when entry value is one dot and one URI encoded dot' do
+      let(:config) { '.%2e' }
+
+      it_behaves_like 'key with only dots'
+    end
   end
 
   describe '.default' do
author	Robert Speicher <robert@gitlab.com>	2018-01-03 18:00:36 +0000
committer	Rémy Coutable <remy@rymai.me>	2018-01-15 11:23:06 +0100
commit	6ea4cdcc41e6382e22732119c930b689f5bcdb94 (patch)
tree	58b9794d0ec2d5b5ab3f5ad262c64ca6093ec481 /spec
parent	69c0d7494df25c872411af903f453819ff944dac (diff)
download	gitlab-ce-6ea4cdcc41e6382e22732119c930b689f5bcdb94.tar.gz