diff options
-rw-r--r-- | changelogs/unreleased/security-group-import-file-enuming.yml | 5 | ||||
-rw-r--r-- | lib/api/group_import.rb | 17 | ||||
-rw-r--r-- | spec/requests/api/group_import_spec.rb | 33 | ||||
-rwxr-xr-x[-rw-r--r--] | vendor/gitignore/C++.gitignore | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | vendor/gitignore/Java.gitignore | 0 |
5 files changed, 30 insertions, 25 deletions
diff --git a/changelogs/unreleased/security-group-import-file-enuming.yml b/changelogs/unreleased/security-group-import-file-enuming.yml new file mode 100644 index 00000000000..efdff7e84e9 --- /dev/null +++ b/changelogs/unreleased/security-group-import-file-enuming.yml @@ -0,0 +1,5 @@ +--- +title: Fix file enuming using Group Import +merge_request: +author: +type: security diff --git a/lib/api/group_import.rb b/lib/api/group_import.rb index ed52506de14..ec51c2f44c3 100644 --- a/lib/api/group_import.rb +++ b/lib/api/group_import.rb @@ -4,6 +4,8 @@ module API class GroupImport < Grape::API MAXIMUM_FILE_SIZE = 50.megabytes.freeze + helpers Helpers::FileUploadHelpers + helpers do def parent_group find_group!(params[:parent_id]) if params[:parent_id].present? @@ -48,29 +50,20 @@ module API params do requires :path, type: String, desc: 'Group path' requires :name, type: String, desc: 'Group name' + requires :file, type: ::API::Validations::Types::WorkhorseFile, desc: 'The group export file to be imported' optional :parent_id, type: Integer, desc: "The ID of the parent group that the group will be imported into. Defaults to the current user's namespace." - optional 'file.path', type: String, desc: 'Path to locally stored body (generated by Workhorse)' - optional 'file.name', type: String, desc: 'Real filename as send in Content-Disposition (generated by Workhorse)' - optional 'file.type', type: String, desc: 'Real content type as send in Content-Type (generated by Workhorse)' - optional 'file.size', type: Integer, desc: 'Real size of file (generated by Workhorse)' - optional 'file.md5', type: String, desc: 'MD5 checksum of the file (generated by Workhorse)' - optional 'file.sha1', type: String, desc: 'SHA1 checksum of the file (generated by Workhorse)' - optional 'file.sha256', type: String, desc: 'SHA256 checksum of the file (generated by Workhorse)' end post 'import' do authorize_create_group! require_gitlab_workhorse! - - uploaded_file = UploadedFile.from_params(params, :file, ImportExportUploader.workhorse_local_upload_path) - - bad_request!('Unable to process group import file') unless uploaded_file + validate_file! group_params = { path: params[:path], name: params[:name], parent_id: params[:parent_id], visibility_level: closest_allowed_visibility_level, - import_export_upload: ImportExportUpload.new(import_file: uploaded_file) + import_export_upload: ImportExportUpload.new(import_file: params[:file]) } group = ::Groups::CreateService.new(current_user, group_params).execute diff --git a/spec/requests/api/group_import_spec.rb b/spec/requests/api/group_import_spec.rb index 58bff08dcbb..b60a1b3f119 100644 --- a/spec/requests/api/group_import_spec.rb +++ b/spec/requests/api/group_import_spec.rb @@ -11,7 +11,7 @@ describe API::GroupImport do let(:file) { File.join('spec', 'fixtures', 'group_export.tar.gz') } let(:export_path) { "#{Dir.tmpdir}/group_export_spec" } let(:workhorse_token) { JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256') } - let(:workhorse_header) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => workhorse_token } } + let(:workhorse_headers) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => workhorse_token } } before do allow_next_instance_of(Gitlab::ImportExport) do |import_export| @@ -35,7 +35,7 @@ describe API::GroupImport do } end - subject { post api('/groups/import', user), params: params, headers: workhorse_header } + subject { upload_archive(file_upload, workhorse_headers, params) } shared_examples 'when all params are correct' do context 'when user is authorized to create new group' do @@ -151,7 +151,7 @@ describe API::GroupImport do params[:file] = file_upload expect do - post api('/groups/import', user), params: params, headers: workhorse_header + upload_archive(file_upload, workhorse_headers, params) end.not_to change { Group.count }.from(1) expect(response).to have_gitlab_http_status(:bad_request) @@ -171,7 +171,7 @@ describe API::GroupImport do context 'without a file from workhorse' do it 'rejects the request' do - subject + upload_archive(nil, workhorse_headers, params) expect(response).to have_gitlab_http_status(:bad_request) end @@ -179,7 +179,7 @@ describe API::GroupImport do context 'without a workhorse header' do it 'rejects request without a workhorse header' do - post api('/groups/import', user), params: params + upload_archive(file_upload, {}, params) expect(response).to have_gitlab_http_status(:forbidden) end @@ -189,9 +189,7 @@ describe API::GroupImport do let(:params) do { path: 'test-import-group', - name: 'test-import-group', - 'file.path' => file_upload.path, - 'file.name' => file_upload.original_filename + name: 'test-import-group' } end @@ -229,9 +227,7 @@ describe API::GroupImport do { path: 'test-import-group', name: 'test-import-group', - file: fog_file, - 'file.remote_id' => file_name, - 'file.size' => fog_file.size + file: fog_file } end @@ -245,10 +241,21 @@ describe API::GroupImport do include_examples 'when some params are missing' end end + + def upload_archive(file, headers = {}, params = {}) + workhorse_finalize( + api('/groups/import', user), + method: :post, + file_key: :file, + params: params.merge(file: file), + headers: headers, + send_rewritten_field: true + ) + end end describe 'POST /groups/import/authorize' do - subject { post api('/groups/import/authorize', user), headers: workhorse_header } + subject { post api('/groups/import/authorize', user), headers: workhorse_headers } it 'authorizes importing group with workhorse header' do subject @@ -258,7 +265,7 @@ describe API::GroupImport do end it 'rejects requests that bypassed gitlab-workhorse' do - workhorse_header.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER) + workhorse_headers.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER) subject diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore index 259148fa18f..259148fa18f 100644..100755 --- a/vendor/gitignore/C++.gitignore +++ b/vendor/gitignore/C++.gitignore diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore index a1c2a238a96..a1c2a238a96 100644..100755 --- a/vendor/gitignore/Java.gitignore +++ b/vendor/gitignore/Java.gitignore |