diff options
author | John Cai <jcai@gitlab.com> | 2019-09-30 18:39:44 +0300 |
---|---|---|
committer | John Cai <jcai@gitlab.com> | 2019-09-30 18:39:44 +0300 |
commit | d984dc793e0af3bcbaffa32116fd6e462c414c4f (patch) | |
tree | 48d239866fc0e9e9b93029327e709b78415954c8 | |
parent | 4aa8f83e8907de8eec870d2d07acc1d786fdf6a1 (diff) | |
parent | 67287e2bc4cda2ecc1313f9448d6421ebc9edab4 (diff) |
Merge branch 'security-1892-blob-flag-injection' into 'master'
Fix flag injection for SearchFilesByContent RPC
See merge request gitlab/gitaly!39
-rw-r--r-- | internal/service/repository/search_files.go | 4 | ||||
-rw-r--r-- | internal/service/repository/search_files_test.go | 11 |
2 files changed, 15 insertions, 0 deletions
diff --git a/internal/service/repository/search_files.go b/internal/service/repository/search_files.go index f61434fa4..fac6ecbe0 100644 --- a/internal/service/repository/search_files.go +++ b/internal/service/repository/search_files.go @@ -140,5 +140,9 @@ func validateSearchFilesRequest(req searchFilesRequest) error { return errors.New("no ref given") } + if bytes.HasPrefix(req.GetRef(), []byte("-")) { + return errors.New("invalid ref argument") + } + return nil } diff --git a/internal/service/repository/search_files_test.go b/internal/service/repository/search_files_test.go index 1c08117df..bb2620c13 100644 --- a/internal/service/repository/search_files_test.go +++ b/internal/service/repository/search_files_test.go @@ -217,6 +217,9 @@ func TestSearchFilesByContentFailure(t *testing.T) { client, conn := newRepositoryClient(t, serverSocketPath) defer conn.Close() + testRepo, _, cleanupRepo := testhelper.NewTestRepo(t) + defer cleanupRepo() + testCases := []struct { desc string repo *gitalypb.Repository @@ -243,6 +246,14 @@ func TestSearchFilesByContentFailure(t *testing.T) { code: codes.InvalidArgument, msg: "empty Repo", }, + { + desc: "invalid ref argument", + repo: testRepo, + query: ".", + ref: "--no-index", + code: codes.InvalidArgument, + msg: "invalid ref argument", + }, } for _, tc := range testCases { |