diff options
author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-08-05 21:05:01 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-08-05 21:05:01 +0300 |
commit | d0d436c2f368936a3114c2f4189c29d967035dda (patch) | |
tree | 52201c88c8049744687aba628a459f14a7439c95 | |
parent | eb326a7d60c77b31e9b261e95cac972e097bf00a (diff) | |
parent | 17d5289ef05d4c217513a90ca6d8b01ab24473d5 (diff) |
Merge remote-tracking branch 'dev/13-2-stable' into 13-2-stable
-rw-r--r-- | CHANGELOG.md | 7 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | internal/service/repository/create_from_url.go | 13 | ||||
-rw-r--r-- | internal/service/repository/create_from_url_test.go | 2 | ||||
-rw-r--r-- | ruby/proto/gitaly/version.rb | 2 |
5 files changed, 18 insertions, 8 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index a9179abd0..de7168f5f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Gitaly changelog +## 13.2.3 + +### Security (1 change) + +- Fix injection of arbitrary `http.*` options. + + ## 13.2.2 - No changes. @@ -1 +1 @@ -13.2.2 +13.2.3 diff --git a/internal/service/repository/create_from_url.go b/internal/service/repository/create_from_url.go index fc7db184e..a40488d10 100644 --- a/internal/service/repository/create_from_url.go +++ b/internal/service/repository/create_from_url.go @@ -23,10 +23,13 @@ func cloneFromURLCommand(ctx context.Context, repoURL, repositoryFullPath string return nil, helper.ErrInternal(err) } - flags := []git.Option{ + globalFlags := []git.Option{ + git.ValueFlag{Name: "-c", Value: "http.followRedirects=false"}, + } + + cloneFlags := []git.Option{ git.Flag{Name: "--bare"}, git.Flag{Name: "--quiet"}, - git.ValueFlag{Name: "-c", Value: "http.followRedirects=false"}, } if u.User != nil { @@ -41,12 +44,12 @@ func cloneFromURLCommand(ctx context.Context, repoURL, repositoryFullPath string u.User = nil authHeader := fmt.Sprintf("Authorization: Basic %s", base64.StdEncoding.EncodeToString([]byte(creds))) - flags = append(flags, git.ValueFlag{Name: "-c", Value: fmt.Sprintf("http.%s.extraHeader=%s", u.String(), authHeader)}) + globalFlags = append(globalFlags, git.ValueFlag{Name: "-c", Value: fmt.Sprintf("http.extraHeader=%s", authHeader)}) } - return git.SafeBareCmd(ctx, git.CmdStream{Err: stderr}, nil, nil, git.SubCmd{ + return git.SafeBareCmd(ctx, git.CmdStream{Err: stderr}, nil, globalFlags, git.SubCmd{ Name: "clone", - Flags: flags, + Flags: cloneFlags, PostSepArgs: []string{u.String(), repositoryFullPath}, }) } diff --git a/internal/service/repository/create_from_url_test.go b/internal/service/repository/create_from_url_test.go index 526c2cf64..b08737e38 100644 --- a/internal/service/repository/create_from_url_test.go +++ b/internal/service/repository/create_from_url_test.go @@ -77,7 +77,7 @@ func TestCloneRepositoryFromUrlCommand(t *testing.T) { expectedScrubbedURL := "https://www.example.com/secretrepo.git" expectedBasicAuthHeader := fmt.Sprintf("Authorization: Basic %s", base64.StdEncoding.EncodeToString([]byte("user:pass!?@"))) - expectedHeader := fmt.Sprintf("http.%s.extraHeader=%s", expectedScrubbedURL, expectedBasicAuthHeader) + expectedHeader := fmt.Sprintf("http.extraHeader=%s", expectedBasicAuthHeader) var args = cmd.Args() require.Contains(t, args, expectedScrubbedURL) diff --git a/ruby/proto/gitaly/version.rb b/ruby/proto/gitaly/version.rb index 871b661be..522a92926 100644 --- a/ruby/proto/gitaly/version.rb +++ b/ruby/proto/gitaly/version.rb @@ -1,5 +1,5 @@ # This file was auto-generated by release-tools # https://gitlab.com/gitlab-org/release-tools/-/blob/master/lib/release_tools/release/gitaly_release.rb module Gitaly - VERSION = '13.2.2' + VERSION = '13.2.3' end |