diff options
| author | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2014-08-27 13:26:27 +0200 |
|---|---|---|
| committer | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2014-08-27 14:42:58 +0200 |
| commit | ea88c9b2747ffb4cb0481b8cb274ebc4919474db (patch) | |
| tree | a7894facacdc2f0c29e3abbaa6054bc6a44d6e3f | |
| parent | b5284310c2c9d6f53e983ca5224bea7c48e0f779 (diff) | |
| download | gitlab-shell-ea88c9b2747ffb4cb0481b8cb274ebc4919474db.tar.gz | |
Handle invalid number of arguments
When a remote user with a valid SSH key runs something like 'ssh
git@gitlab.example.com foobar', gitlab-shell would raise an exception in
the GitlabShell#escape_path method. With this change, we catch an
invalid number of arguments as soon as possible and exit.
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | lib/gitlab_shell.rb | 11 | ||||
| -rw-r--r-- | spec/gitlab_shell_spec.rb | 8 |
3 files changed, 17 insertions, 3 deletions
@@ -1,5 +1,6 @@ v1.9.8 - Replace raise with abort when checking path to prevent path exposure + - Handle invalid number of arguments on remote commands v1.9.7 - Increased test coverage diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb index 6edb748..b2ddcc8 100644 --- a/lib/gitlab_shell.rb +++ b/lib/gitlab_shell.rb @@ -3,6 +3,8 @@ require 'shellwords' require_relative 'gitlab_net' class GitlabShell + DisallowedCommandError = Class.new(StandardError) + attr_accessor :key_id, :repo_name, :git_cmd, :repos_path, :repo_name def initialize @@ -28,19 +30,22 @@ class GitlabShell $stderr.puts "Access denied." end else - message = "gitlab-shell: Attempt to execute disallowed command <#{@origin_cmd}> by #{log_username}." - $logger.warn message - puts 'Not allowed command' + raise DisallowedCommandError end else puts "Welcome to GitLab, #{username}!" end + rescue DisallowedCommandError => ex + message = "gitlab-shell: Attempt to execute disallowed command <#{@origin_cmd}> by #{log_username}." + $logger.warn message + puts 'Not allowed command' end protected def parse_cmd args = Shellwords.shellwords(@origin_cmd) + raise DisallowedCommandError unless args.count == 2 @git_cmd = args[0] @repo_name = escape_path(args[1]) end diff --git a/spec/gitlab_shell_spec.rb b/spec/gitlab_shell_spec.rb index f997477..4741303 100644 --- a/spec/gitlab_shell_spec.rb +++ b/spec/gitlab_shell_spec.rb @@ -48,6 +48,14 @@ describe GitlabShell do its(:repo_name) { should == 'dmitriy.zaporozhets/gitlab-ci.git' } its(:git_cmd) { should == 'git-upload-pack' } end + + context 'with an invalid number of arguments' do + before { ssh_cmd 'foobar' } + + it "should raise an DisallowedCommandError" do + expect { subject.send :parse_cmd }.to raise_error(GitlabShell::DisallowedCommandError) + end + end end describe :exec do |