Merge remote-tracking branch 'dev/13-2-stable' into 13-2-stable

author: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2020-08-05 21:05:01 +0300
committer: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2020-08-05 21:05:01 +0300
commit: d0d436c2f368936a3114c2f4189c29d967035dda (patch)
tree: 52201c88c8049744687aba628a459f14a7439c95
parent: eb326a7d60c77b31e9b261e95cac972e097bf00a (diff)
parent: 17d5289ef05d4c217513a90ca6d8b01ab24473d5 (diff)
5 files changed, 18 insertions, 8 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a9179abd0..de7168f5f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Gitaly changelog
 
+## 13.2.3
+
+### Security (1 change)
+
+- Fix injection of arbitrary `http.*` options.
+
+
 ## 13.2.2
 
 - No changes.
diff --git a/VERSION b/VERSION
index 83de0bb17..d8308f987 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-13.2.2
+13.2.3
diff --git a/internal/service/repository/create_from_url.go b/internal/service/repository/create_from_url.go
index fc7db184e..a40488d10 100644
--- a/internal/service/repository/create_from_url.go
+++ b/internal/service/repository/create_from_url.go
@@ -23,10 +23,13 @@ func cloneFromURLCommand(ctx context.Context, repoURL, repositoryFullPath string
 		return nil, helper.ErrInternal(err)
 	}
 
-	flags := []git.Option{
+	globalFlags := []git.Option{
+		git.ValueFlag{Name: "-c", Value: "http.followRedirects=false"},
+	}
+
+	cloneFlags := []git.Option{
 		git.Flag{Name: "--bare"},
 		git.Flag{Name: "--quiet"},
-		git.ValueFlag{Name: "-c", Value: "http.followRedirects=false"},
 	}
 
 	if u.User != nil {
@@ -41,12 +44,12 @@ func cloneFromURLCommand(ctx context.Context, repoURL, repositoryFullPath string
 
 		u.User = nil
 		authHeader := fmt.Sprintf("Authorization: Basic %s", base64.StdEncoding.EncodeToString([]byte(creds)))
-		flags = append(flags, git.ValueFlag{Name: "-c", Value: fmt.Sprintf("http.%s.extraHeader=%s", u.String(), authHeader)})
+		globalFlags = append(globalFlags, git.ValueFlag{Name: "-c", Value: fmt.Sprintf("http.extraHeader=%s", authHeader)})
 	}
 
-	return git.SafeBareCmd(ctx, git.CmdStream{Err: stderr}, nil, nil, git.SubCmd{
+	return git.SafeBareCmd(ctx, git.CmdStream{Err: stderr}, nil, globalFlags, git.SubCmd{
 		Name:        "clone",
-		Flags:       flags,
+		Flags:       cloneFlags,
 		PostSepArgs: []string{u.String(), repositoryFullPath},
 	})
 }
diff --git a/internal/service/repository/create_from_url_test.go b/internal/service/repository/create_from_url_test.go
index 526c2cf64..b08737e38 100644
--- a/internal/service/repository/create_from_url_test.go
+++ b/internal/service/repository/create_from_url_test.go
@@ -77,7 +77,7 @@ func TestCloneRepositoryFromUrlCommand(t *testing.T) {
 
 	expectedScrubbedURL := "https://www.example.com/secretrepo.git"
 	expectedBasicAuthHeader := fmt.Sprintf("Authorization: Basic %s", base64.StdEncoding.EncodeToString([]byte("user:pass!?@")))
-	expectedHeader := fmt.Sprintf("http.%s.extraHeader=%s", expectedScrubbedURL, expectedBasicAuthHeader)
+	expectedHeader := fmt.Sprintf("http.extraHeader=%s", expectedBasicAuthHeader)
 
 	var args = cmd.Args()
 	require.Contains(t, args, expectedScrubbedURL)
diff --git a/ruby/proto/gitaly/version.rb b/ruby/proto/gitaly/version.rb
index 871b661be..522a92926 100644
--- a/ruby/proto/gitaly/version.rb
+++ b/ruby/proto/gitaly/version.rb
@@ -1,5 +1,5 @@
 # This file was auto-generated by release-tools
 #  https://gitlab.com/gitlab-org/release-tools/-/blob/master/lib/release_tools/release/gitaly_release.rb
 module Gitaly
-  VERSION = '13.2.2'
+  VERSION = '13.2.3'
 end
author	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2020-08-05 21:05:01 +0300
committer	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2020-08-05 21:05:01 +0300
commit	d0d436c2f368936a3114c2f4189c29d967035dda (patch)
tree	52201c88c8049744687aba628a459f14a7439c95
parent	eb326a7d60c77b31e9b261e95cac972e097bf00a (diff)
parent	17d5289ef05d4c217513a90ca6d8b01ab24473d5 (diff)