diff options
6 files changed, 58 insertions, 10 deletions
diff --git a/lib/bulk_imports/common/pipelines/wiki_pipeline.rb b/lib/bulk_imports/common/pipelines/wiki_pipeline.rb index 6900835b14d..0f92c1f1210 100644 --- a/lib/bulk_imports/common/pipelines/wiki_pipeline.rb +++ b/lib/bulk_imports/common/pipelines/wiki_pipeline.rb @@ -22,7 +22,7 @@ module BulkImports wiki = context.portable.wiki url = data[:url].sub("://", "://oauth2:#{context.configuration.access_token}@") - Gitlab::UrlBlocker.validate!(url, allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?) + Gitlab::UrlBlocker.validate!(url, schemes: %w[http https], allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?) wiki.ensure_repository wiki.repository.fetch_as_mirror(url) diff --git a/lib/bulk_imports/projects/pipelines/repository_pipeline.rb b/lib/bulk_imports/projects/pipelines/repository_pipeline.rb index f5ccc1dd922..a2b1f8c5176 100644 --- a/lib/bulk_imports/projects/pipelines/repository_pipeline.rb +++ b/lib/bulk_imports/projects/pipelines/repository_pipeline.rb @@ -21,7 +21,7 @@ module BulkImports url = url.sub("://", "://oauth2:#{context.configuration.access_token}@") project = context.portable - Gitlab::UrlBlocker.validate!(url, allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?) + Gitlab::UrlBlocker.validate!(url, schemes: %w[http https], allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?) project.ensure_repository project.repository.fetch_as_mirror(url) diff --git a/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb b/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb index 6d423717a51..e29601927be 100644 --- a/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb +++ b/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb @@ -55,7 +55,9 @@ module BulkImports Gitlab::UrlBlocker.validate!( url, allow_local_network: allow_local_requests?, - allow_localhost: allow_local_requests?) + allow_localhost: allow_local_requests?, + schemes: %w[http https] + ) end def cleanup_snippet_repository(snippet) diff --git a/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb b/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb index 38b22538e70..a968104fc91 100644 --- a/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb +++ b/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb @@ -20,8 +20,9 @@ RSpec.describe BulkImports::Projects::Pipelines::RepositoryPipeline do ) end - let_it_be(:tracker) { create(:bulk_import_tracker, entity: entity) } - let_it_be(:context) { BulkImports::Pipeline::Context.new(tracker) } + let_it_be_with_reload(:tracker) { create(:bulk_import_tracker, entity: entity) } + + let(:context) { BulkImports::Pipeline::Context.new(tracker) } let(:extracted_data) { BulkImports::Pipeline::ExtractedData.new(data: project_data) } @@ -61,7 +62,7 @@ RSpec.describe BulkImports::Projects::Pipelines::RepositoryPipeline do context 'blocked local networks' do let(:project_data) { { 'httpUrlToRepo' => 'http://localhost/foo.git' } } - it 'imports new repository into destination project' do + it 'prevents import' do allow(Gitlab.config.gitlab).to receive(:host).and_return('notlocalhost.gitlab.com') allow(Gitlab::CurrentSettings).to receive(:allow_local_requests_from_web_hooks_and_services?).and_return(false) @@ -70,6 +71,18 @@ RSpec.describe BulkImports::Projects::Pipelines::RepositoryPipeline do expect(context.entity.failed?).to eq(true) end end + + context 'when scheme is blocked' do + let(:project_data) { { 'httpUrlToRepo' => 'file://example/tmp/foo.git' } } + + it 'prevents import' do + pipeline.run + + expect(context.entity.failed?).to eq(true) + expect(context.entity.failures.first).to be_present + expect(context.entity.failures.first.exception_message).to eq('Only allowed schemes are http, https') + end + end end describe '#after_run' do diff --git a/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb b/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb index 4d12b49e2c0..dfd01cdf4bb 100644 --- a/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb +++ b/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb @@ -135,9 +135,25 @@ RSpec.describe BulkImports::Projects::Pipelines::SnippetsRepositoryPipeline do end context 'when url is invalid' do - let(:http_url_to_repo) { 'http://0.0.0.0' } + context 'when not a real URL' do + let(:http_url_to_repo) { 'http://0.0.0.0' } - it_behaves_like 'skippable snippet' + it_behaves_like 'skippable snippet' + end + + context 'when scheme is blocked' do + let(:http_url_to_repo) { 'file://example.com/foo/bar/snippets/42.git' } + + it_behaves_like 'skippable snippet' + + it 'logs the failure' do + pipeline.run + + expect(tracker.failed?).to eq(true) + expect(tracker.entity.failures.first).to be_present + expect(tracker.entity.failures.first.exception_message).to eq('Only allowed schemes are http, https') + end + end end context 'when snippet is invalid' do diff --git a/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb b/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb index 06800f7cded..7e7460cd602 100644 --- a/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb +++ b/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb @@ -4,8 +4,9 @@ RSpec.shared_examples 'wiki pipeline imports a wiki for an entity' do describe '#run' do let_it_be(:bulk_import_configuration) { create(:bulk_import_configuration, bulk_import: bulk_import) } - let_it_be(:tracker) { create(:bulk_import_tracker, entity: entity) } - let_it_be(:context) { BulkImports::Pipeline::Context.new(tracker) } + let_it_be_with_reload(:tracker) { create(:bulk_import_tracker, entity: entity) } + + let(:context) { BulkImports::Pipeline::Context.new(tracker) } let(:extracted_data) { BulkImports::Pipeline::ExtractedData.new(data: {}) } @@ -40,5 +41,21 @@ RSpec.shared_examples 'wiki pipeline imports a wiki for an entity' do expect { subject.run }.not_to raise_error end end + + context 'when scheme is blocked' do + it 'prevents import' do + # Force bulk_import_configuration to have a file:// URL + bulk_import_configuration.url = 'file://example.com' + bulk_import_configuration.save!(validate: false) + + expect(subject).to receive(:source_wiki_exists?).and_return(true) + + subject.run + + expect(tracker.failed?).to eq(true) + expect(tracker.entity.failures.first).to be_present + expect(tracker.entity.failures.first.exception_message).to eq('Only allowed schemes are http, https') + end + end end end |