diff options
author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-07-01 20:05:30 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-07-01 20:05:30 +0300 |
commit | 341f76257981dad071a801122f35d81cc53400de (patch) | |
tree | 504344f23505138fa0c69e425576dec3f1a3ed65 | |
parent | 7ea3e5262858d88001e0f96d7d4d003f26e2f909 (diff) | |
parent | cc313b9ddb84e6c77b353607235ec79a661d6463 (diff) |
Merge remote-tracking branch 'dev/13-0-stable' into 13-0-stable
-rw-r--r-- | CHANGELOG.md | 7 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | ruby/lib/gitlab/git/worktree.rb | 5 | ||||
-rw-r--r-- | ruby/proto/gitaly/version.rb | 2 | ||||
-rw-r--r-- | ruby/spec/lib/gitlab/git/repository_spec.rb | 3 | ||||
-rw-r--r-- | ruby/spec/lib/gitlab/git/worktree_spec.rb | 2 |
6 files changed, 16 insertions, 5 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index e4999ca09..08ef9cffa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Gitaly changelog +## 13.0.8 + +### Security (1 change) + +- Add random suffix to worktree paths to obstruct path traversal. + + ## 13.0.7 - No changes. @@ -1 +1 @@ -13.0.7 +13.0.8 diff --git a/ruby/lib/gitlab/git/worktree.rb b/ruby/lib/gitlab/git/worktree.rb index 59b62e5e3..5e7cf9e04 100644 --- a/ruby/lib/gitlab/git/worktree.rb +++ b/ruby/lib/gitlab/git/worktree.rb @@ -1,5 +1,7 @@ # frozen_string_literal: true +require 'securerandom' + module Gitlab module Git class Worktree @@ -8,8 +10,9 @@ module Gitlab def initialize(repo_path, prefix, id) @repo_path = repo_path @prefix = prefix + @suffix = SecureRandom.hex @id = id.to_s - @name = "#{prefix}-#{id}" + @name = "#{prefix}-#{id}-#{@suffix}" @path = worktree_path end diff --git a/ruby/proto/gitaly/version.rb b/ruby/proto/gitaly/version.rb index eaee9830a..c4258f104 100644 --- a/ruby/proto/gitaly/version.rb +++ b/ruby/proto/gitaly/version.rb @@ -1,5 +1,5 @@ # This file was auto-generated by release-tools # https://gitlab.com/gitlab-org/release-tools/-/blob/master/lib/release_tools/release/gitaly_release.rb module Gitaly - VERSION = '13.0.7' + VERSION = '13.0.8' end diff --git a/ruby/spec/lib/gitlab/git/repository_spec.rb b/ruby/spec/lib/gitlab/git/repository_spec.rb index 833d59600..e53db4a46 100644 --- a/ruby/spec/lib/gitlab/git/repository_spec.rb +++ b/ruby/spec/lib/gitlab/git/repository_spec.rb @@ -643,7 +643,8 @@ describe Gitlab::Git::Repository do # rubocop:disable Metrics/BlockLength it 'lists files modified in source branch in sparse-checkout' do allow(repository).to receive(:with_worktree).and_wrap_original do |m, *args| m.call(*args) do - sparse = repository.path + "/worktrees/rebase-#{rebase_id}/info/sparse-checkout" + worktree = args[0] + sparse = repository.path + "/worktrees/#{worktree.name}/info/sparse-checkout" diff_files = IO.readlines(sparse, chomp: true) expect(diff_files).to eq(expected_files) diff --git a/ruby/spec/lib/gitlab/git/worktree_spec.rb b/ruby/spec/lib/gitlab/git/worktree_spec.rb index ac4834d63..e240622f2 100644 --- a/ruby/spec/lib/gitlab/git/worktree_spec.rb +++ b/ruby/spec/lib/gitlab/git/worktree_spec.rb @@ -10,7 +10,7 @@ describe Gitlab::Git::Worktree do it 'generates valid path' do worktree = described_class.new(repo_path, prefix, 12345) - expect(worktree.path).to eq('/tmp/test/gitlab-worktree/rebase-12345') + expect(worktree.path).to match('/tmp/test/gitlab-worktree/rebase-12345-.{16}') end it 'rejects bad IDs' do |