blob: bbfdaf692f97421d562dbc88f20feaafe8b6f2b6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
# frozen_string_literal: true
module Import
module GitlabProjects
class CreateProjectFromRemoteFileService < CreateProjectFromUploadedFileService
FILE_SIZE_LIMIT = 10.gigabytes
ALLOWED_CONTENT_TYPES = ['application/gzip'].freeze
validate :valid_remote_import_url?
validate :validate_file_size
validate :validate_content_type
private
def required_params
[:path, :namespace, :remote_import_url]
end
def project_params
super
.except(:file)
.merge(import_export_upload: ::ImportExportUpload.new(
remote_import_url: params[:remote_import_url]
))
end
def valid_remote_import_url?
::Gitlab::UrlBlocker.validate!(
params[:remote_import_url],
allow_localhost: allow_local_requests?,
allow_local_network: allow_local_requests?,
schemes: %w(http https)
)
true
rescue ::Gitlab::UrlBlocker::BlockedUrlError => e
errors.add(:base, e.message)
false
end
def allow_local_requests?
::Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
end
def validate_content_type
if headers['content-type'].blank?
errors.add(:base, "Missing 'ContentType' header")
elsif !ALLOWED_CONTENT_TYPES.include?(headers['content-type'])
errors.add(:base, "Remote file content type '%{content_type}' not allowed. (Allowed content types: %{allowed})" % {
content_type: headers['content-type'],
allowed: ALLOWED_CONTENT_TYPES.join(',')
})
end
end
def validate_file_size
if headers['content-length'].to_i == 0
errors.add(:base, "Missing 'ContentLength' header")
elsif headers['content-length'].to_i > FILE_SIZE_LIMIT
errors.add(:base, 'Remote file larger than limit. (limit %{limit})' % {
limit: ActiveSupport::NumberHelper.number_to_human_size(FILE_SIZE_LIMIT)
})
end
end
def headers
return {} if params[:remote_import_url].blank? || !valid_remote_import_url?
@headers ||= Gitlab::HTTP.head(params[:remote_import_url]).headers
end
end
end
end
|