realaravinth/debian-mirror-gitlab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

New upstream version 11.5.7+dfsg

Browse source
This commit is contained in:
Abhijith PA 2019-01-20 21:35:32 +05:30
parent a572b6d2b1
commit 86ace60a9c
8 changed files with 83 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
CHANGELOG.md
View file

@ -2,6 +2,13 @@
documentation](doc/development/changelog.md) for instructions on adding your own documentation](doc/development/changelog.md) for instructions on adding your own
entry. entry.
## 11.5.7 (2019-01-15)
### Security (1 change)
- Validate bundle files before unpacking them.
## 11.5.6 (2018-12-28) ## 11.5.6 (2018-12-28)
### Security (17 changes) ### Security (17 changes)

2
VERSION
View file

@ -1 +1 @@
11.5.6 11.5.7

30
lib/gitlab/git/bundle_file.rb Normal file
View file

@ -0,0 +1,30 @@
# frozen_string_literal: true
module Gitlab
module Git
class BundleFile
# All git bundle files start with this string
#
# https://github.com/git/git/blob/v2.20.1/bundle.c#L15
MAGIC = "# v2 git bundle\n"
InvalidBundleError = Class.new(StandardError)
attr_reader :filename
def self.check!(filename)
new(filename).check!
end
def initialize(filename)
@filename = filename
end
def check!
data = File.open(filename, 'r') { |f| f.read(MAGIC.size) }
raise InvalidBundleError, 'Invalid bundle file' unless data == MAGIC
end
end
end
end

5
lib/gitlab/git/repository.rb
View file

@ -770,6 +770,11 @@ module Gitlab
end end
def create_from_bundle(bundle_path) def create_from_bundle(bundle_path)
# It's important to check that the linked-to file is actually a valid
# .bundle file as it is passed to `git clone`, which may otherwise
# interpret it as a pointer to another repository
::Gitlab::Git::BundleFile.check!(bundle_path)
gitaly_repository_client.create_from_bundle(bundle_path) gitaly_repository_client.create_from_bundle(bundle_path)
end end

2
scripts/prepare_build.sh
View file

@ -11,7 +11,7 @@ fi
# Only install knapsack after bundle install! Otherwise oddly some native # Only install knapsack after bundle install! Otherwise oddly some native
# gems could not be found under some circumstance. No idea why, hours wasted. # gems could not be found under some circumstance. No idea why, hours wasted.
retry gem install knapsack --no-ri --no-rdoc retry gem install knapsack --no-document
cp config/gitlab.yml.example config/gitlab.yml cp config/gitlab.yml.example config/gitlab.yml
sed -i 's/bin_path: \/usr\/bin\/git/bin_path: \/usr\/local\/bin\/git/' config/gitlab.yml sed -i 's/bin_path: \/usr\/bin\/git/bin_path: \/usr\/local\/bin\/git/' config/gitlab.yml

1
spec/fixtures/malicious.bundle vendored Normal file
View file

@ -0,0 +1 @@
gitdir: foo.git

26
spec/lib/gitlab/git/bundle_file_spec.rb Normal file
View file

@ -0,0 +1,26 @@
require 'spec_helper'
describe Gitlab::Git::BundleFile do
describe '.check!' do
let(:valid_bundle) { Tempfile.new }
let(:valid_bundle_path) { valid_bundle.path }
let(:invalid_bundle_path) { Rails.root.join('spec/fixtures/malicious.bundle') }
after do
valid_bundle.close!
end
it 'returns nil for a valid bundle' do
valid_bundle.write("# v2 git bundle\nfoo bar baz\n")
valid_bundle.close
expect(described_class.check!(valid_bundle_path)).to be_nil
end
it 'raises an exception for an invalid bundle' do
expect do
described_class.check!(invalid_bundle_path)
end.to raise_error(described_class::InvalidBundleError)
end
end
end

17
spec/lib/gitlab/git/repository_spec.rb
View file

@ -1726,22 +1726,23 @@ describe Gitlab::Git::Repository, :seed_helper do
end end
describe '#create_from_bundle' do describe '#create_from_bundle' do
let(:bundle_path) { File.join(Dir.tmpdir, "repo-#{SecureRandom.hex}.bundle") } let(:valid_bundle_path) { File.join(Dir.tmpdir, "repo-#{SecureRandom.hex}.bundle") }
let(:malicious_bundle_path) { Rails.root.join('spec/fixtures/malicious.bundle') }
let(:project) { create(:project) } let(:project) { create(:project) }
let(:imported_repo) { project.repository.raw } let(:imported_repo) { project.repository.raw }
before do before do
expect(repository.bundle_to_disk(bundle_path)).to be_truthy expect(repository.bundle_to_disk(valid_bundle_path)).to be_truthy
end end
after do after do
FileUtils.rm_rf(bundle_path) FileUtils.rm_rf(valid_bundle_path)
end end
it 'creates a repo from a bundle file' do it 'creates a repo from a bundle file' do
expect(imported_repo).not_to exist expect(imported_repo).not_to exist
result = imported_repo.create_from_bundle(bundle_path) result = imported_repo.create_from_bundle(valid_bundle_path)
expect(result).to be_truthy expect(result).to be_truthy
expect(imported_repo).to exist expect(imported_repo).to exist
@ -1749,11 +1750,17 @@ describe Gitlab::Git::Repository, :seed_helper do
end end
it 'creates a symlink to the global hooks dir' do it 'creates a symlink to the global hooks dir' do
imported_repo.create_from_bundle(bundle_path) imported_repo.create_from_bundle(valid_bundle_path)
hooks_path = Gitlab::GitalyClient::StorageSettings.allow_disk_access { File.join(imported_repo.path, 'hooks') } hooks_path = Gitlab::GitalyClient::StorageSettings.allow_disk_access { File.join(imported_repo.path, 'hooks') }
expect(File.readlink(hooks_path)).to eq(Gitlab.config.gitlab_shell.hooks_path) expect(File.readlink(hooks_path)).to eq(Gitlab.config.gitlab_shell.hooks_path)
end end
it 'raises an error if the bundle is an attempted malicious payload' do
expect do
imported_repo.create_from_bundle(malicious_bundle_path)
end.to raise_error(::Gitlab::Git::BundleFile::InvalidBundleError)
end
end end
describe '#checksum' do describe '#checksum' do