Merge remote-tracking branch 'dev/13-0-stable' into 13-0-stable

6 files changed, 16 insertions, 5 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e4999ca09..08ef9cffa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Gitaly changelog
 
+## 13.0.8
+
+### Security (1 change)
+
+- Add random suffix to worktree paths to obstruct path traversal.
+
+
 ## 13.0.7
 
 - No changes.
diff --git a/VERSION b/VERSION
index 4e8f3240e..8e7aa5e40 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-13.0.7
+13.0.8
diff --git a/ruby/lib/gitlab/git/worktree.rb b/ruby/lib/gitlab/git/worktree.rb
index 59b62e5e3..5e7cf9e04 100644
--- a/ruby/lib/gitlab/git/worktree.rb
+++ b/ruby/lib/gitlab/git/worktree.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'securerandom'
+
 module Gitlab
   module Git
     class Worktree
@@ -8,8 +10,9 @@ module Gitlab
       def initialize(repo_path, prefix, id)
         @repo_path = repo_path
         @prefix = prefix
+        @suffix = SecureRandom.hex
         @id = id.to_s
-        @name = "#{prefix}-#{id}"
+        @name = "#{prefix}-#{id}-#{@suffix}"
         @path = worktree_path
       end
 
diff --git a/ruby/proto/gitaly/version.rb b/ruby/proto/gitaly/version.rb
index eaee9830a..c4258f104 100644
--- a/ruby/proto/gitaly/version.rb
+++ b/ruby/proto/gitaly/version.rb
@@ -1,5 +1,5 @@
 # This file was auto-generated by release-tools
 #  https://gitlab.com/gitlab-org/release-tools/-/blob/master/lib/release_tools/release/gitaly_release.rb
 module Gitaly
-  VERSION = '13.0.7'
+  VERSION = '13.0.8'
 end
diff --git a/ruby/spec/lib/gitlab/git/repository_spec.rb b/ruby/spec/lib/gitlab/git/repository_spec.rb
index 833d59600..e53db4a46 100644
--- a/ruby/spec/lib/gitlab/git/repository_spec.rb
+++ b/ruby/spec/lib/gitlab/git/repository_spec.rb
@@ -643,7 +643,8 @@ describe Gitlab::Git::Repository do # rubocop:disable Metrics/BlockLength
       it 'lists files modified in source branch in sparse-checkout' do
         allow(repository).to receive(:with_worktree).and_wrap_original do |m, *args|
           m.call(*args) do
-            sparse = repository.path + "/worktrees/rebase-#{rebase_id}/info/sparse-checkout"
+            worktree = args[0]
+            sparse = repository.path + "/worktrees/#{worktree.name}/info/sparse-checkout"
             diff_files = IO.readlines(sparse, chomp: true)
 
             expect(diff_files).to eq(expected_files)
diff --git a/ruby/spec/lib/gitlab/git/worktree_spec.rb b/ruby/spec/lib/gitlab/git/worktree_spec.rb
index ac4834d63..e240622f2 100644
--- a/ruby/spec/lib/gitlab/git/worktree_spec.rb
+++ b/ruby/spec/lib/gitlab/git/worktree_spec.rb
@@ -10,7 +10,7 @@ describe Gitlab::Git::Worktree do
     it 'generates valid path' do
       worktree = described_class.new(repo_path, prefix, 12345)
 
-      expect(worktree.path).to eq('/tmp/test/gitlab-worktree/rebase-12345')
+      expect(worktree.path).to match('/tmp/test/gitlab-worktree/rebase-12345-.{16}')
     end
 
     it 'rejects bad IDs' do