New upstream version 11.5.7+dfsg

2019-01-20 21:35:32 +05:30 · 2019-01-20 21:35:32 +05:30 · 86ace60a9c
parent a572b6d2b1
commit 86ace60a9c
8 changed files with 83 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.

+## 11.5.7 (2019-01-15)
+
+### Security (1 change)
+
+- Validate bundle files before unpacking them.
+
+
 ## 11.5.6 (2018-12-28)

 ### Security (17 changes)
--- a/2
+++ b/2
@ -1 +1 @@
-11.5.6
+11.5.7
--- a/lib/gitlab/git/bundle_file.rb
+++ b/lib/gitlab/git/bundle_file.rb
@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Git
+    class BundleFile
+      # All git bundle files start with this string
+      #
+      # https://github.com/git/git/blob/v2.20.1/bundle.c#L15
+      MAGIC = "# v2 git bundle\n"
+
+      InvalidBundleError = Class.new(StandardError)
+
+      attr_reader :filename
+
+      def self.check!(filename)
+        new(filename).check!
+      end
+
+      def initialize(filename)
+        @filename = filename
+      end
+
+      def check!
+        data = File.open(filename, 'r') { |f| f.read(MAGIC.size) }
+
+        raise InvalidBundleError, 'Invalid bundle file' unless data == MAGIC
+      end
+    end
+  end
+end
--- a/lib/gitlab/git/repository.rb
+++ b/lib/gitlab/git/repository.rb
@ -770,6 +770,11 @@ module Gitlab
      end

      def create_from_bundle(bundle_path)
+        # It's important to check that the linked-to file is actually a valid
+        # .bundle file as it is passed to `git clone`, which may otherwise
+        # interpret it as a pointer to another repository
+        ::Gitlab::Git::BundleFile.check!(bundle_path)
+
        gitaly_repository_client.create_from_bundle(bundle_path)
      end

--- a/scripts/prepare_build.sh
+++ b/scripts/prepare_build.sh
@ -11,7 +11,7 @@ fi

 # Only install knapsack after bundle install! Otherwise oddly some native
 # gems could not be found under some circumstance. No idea why, hours wasted.
-retry gem install knapsack --no-ri --no-rdoc
+retry gem install knapsack --no-document

 cp config/gitlab.yml.example config/gitlab.yml
 sed -i 's/bin_path: \/usr\/bin\/git/bin_path: \/usr\/local\/bin\/git/' config/gitlab.yml
--- a/spec/fixtures/malicious.bundle
+++ b/spec/fixtures/malicious.bundle
@ -0,0 +1 @@
+gitdir: foo.git
--- a/spec/lib/gitlab/git/bundle_file_spec.rb
+++ b/spec/lib/gitlab/git/bundle_file_spec.rb
@ -0,0 +1,26 @@
+require 'spec_helper'
+
+describe Gitlab::Git::BundleFile do
+  describe '.check!' do
+    let(:valid_bundle) { Tempfile.new }
+    let(:valid_bundle_path) { valid_bundle.path }
+    let(:invalid_bundle_path) { Rails.root.join('spec/fixtures/malicious.bundle') }
+
+    after do
+      valid_bundle.close!
+    end
+
+    it 'returns nil for a valid bundle' do
+      valid_bundle.write("# v2 git bundle\nfoo bar baz\n")
+      valid_bundle.close
+
+      expect(described_class.check!(valid_bundle_path)).to be_nil
+    end
+
+    it 'raises an exception for an invalid bundle' do
+      expect do
+        described_class.check!(invalid_bundle_path)
+      end.to raise_error(described_class::InvalidBundleError)
+    end
+  end
+end
--- a/spec/lib/gitlab/git/repository_spec.rb
+++ b/spec/lib/gitlab/git/repository_spec.rb
@ -1726,22 +1726,23 @@ describe Gitlab::Git::Repository, :seed_helper do
  end

  describe '#create_from_bundle' do
-    let(:bundle_path) { File.join(Dir.tmpdir, "repo-#{SecureRandom.hex}.bundle") }
+    let(:valid_bundle_path) { File.join(Dir.tmpdir, "repo-#{SecureRandom.hex}.bundle") }
+    let(:malicious_bundle_path) { Rails.root.join('spec/fixtures/malicious.bundle') }
    let(:project) { create(:project) }
    let(:imported_repo) { project.repository.raw }

    before do
-      expect(repository.bundle_to_disk(bundle_path)).to be_truthy
+      expect(repository.bundle_to_disk(valid_bundle_path)).to be_truthy
    end

    after do
-      FileUtils.rm_rf(bundle_path)
+      FileUtils.rm_rf(valid_bundle_path)
    end

    it 'creates a repo from a bundle file' do
      expect(imported_repo).not_to exist

-      result = imported_repo.create_from_bundle(bundle_path)
+      result = imported_repo.create_from_bundle(valid_bundle_path)

      expect(result).to be_truthy
      expect(imported_repo).to exist
@ -1749,11 +1750,17 @@ describe Gitlab::Git::Repository, :seed_helper do
    end

    it 'creates a symlink to the global hooks dir' do
-      imported_repo.create_from_bundle(bundle_path)
+      imported_repo.create_from_bundle(valid_bundle_path)
      hooks_path = Gitlab::GitalyClient::StorageSettings.allow_disk_access { File.join(imported_repo.path, 'hooks') }

      expect(File.readlink(hooks_path)).to eq(Gitlab.config.gitlab_shell.hooks_path)
    end
+
+    it 'raises an error if the bundle is an attempted malicious payload' do
+      expect do
+        imported_repo.create_from_bundle(malicious_bundle_path)
+      end.to raise_error(::Gitlab::Git::BundleFile::InvalidBundleError)
+    end
  end

  describe '#checksum' do
 @ -1 +1 @@
 .5.6
 .5.7