diff options
| author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-07-01 21:16:50 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-07-01 21:16:50 +0300 |
| commit | 66a9d21ac2a425839b3910fa2a3ba26b60b438e0 (patch) | |
| tree | 033ca897f5288e6e083705c6c0733a1b5f780291 | |
| parent | 24cc7055a13ddca80d15bfdf046426204d548693 (diff) | |
| parent | e02767b313ed21fd79d18d7181cf15fb3dcd3862 (diff) | |
Merge remote-tracking branch 'dev/master'
| -rw-r--r-- | CHANGELOG.md | 20 | ||||
| -rw-r--r-- | ruby/lib/gitlab/git/worktree.rb | 5 | ||||
| -rw-r--r-- | ruby/spec/lib/gitlab/git/repository_spec.rb | 3 | ||||
| -rw-r--r-- | ruby/spec/lib/gitlab/git/worktree_spec.rb | 2 |
4 files changed, 27 insertions, 3 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 5db9bb8cb..e77439387 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Gitaly changelog +## 13.1.2 + +### Security (1 change) + +- Add random suffix to worktree paths to obstruct path traversal. + + ## 13.1.1 - No changes. @@ -56,6 +63,13 @@ - danger: Suggest merge request ID in the changelog. !2254 +## 13.0.8 + +### Security (1 change) + +- Add random suffix to worktree paths to obstruct path traversal. + + ## 13.0.7 - No changes. @@ -144,6 +158,12 @@ - Update ffi gem to v1.12.2. !2111 - Update activesupport to v6.0.3 and gitlab-labkit to v0.12.0. !2178 +## 12.10.13 + +### Security (1 change) + +- Add random suffix to worktree paths to obstruct path traversal. + ## 12.10.12 diff --git a/ruby/lib/gitlab/git/worktree.rb b/ruby/lib/gitlab/git/worktree.rb index 59b62e5e3..5e7cf9e04 100644 --- a/ruby/lib/gitlab/git/worktree.rb +++ b/ruby/lib/gitlab/git/worktree.rb @@ -1,5 +1,7 @@ # frozen_string_literal: true +require 'securerandom' + module Gitlab module Git class Worktree @@ -8,8 +10,9 @@ module Gitlab def initialize(repo_path, prefix, id) @repo_path = repo_path @prefix = prefix + @suffix = SecureRandom.hex @id = id.to_s - @name = "#{prefix}-#{id}" + @name = "#{prefix}-#{id}-#{@suffix}" @path = worktree_path end diff --git a/ruby/spec/lib/gitlab/git/repository_spec.rb b/ruby/spec/lib/gitlab/git/repository_spec.rb index ad6651496..d11142533 100644 --- a/ruby/spec/lib/gitlab/git/repository_spec.rb +++ b/ruby/spec/lib/gitlab/git/repository_spec.rb @@ -614,7 +614,8 @@ describe Gitlab::Git::Repository do # rubocop:disable Metrics/BlockLength it 'lists files modified in source branch in sparse-checkout' do allow(repository).to receive(:with_worktree).and_wrap_original do |m, *args| m.call(*args) do - sparse = repository.path + "/worktrees/rebase-#{rebase_id}/info/sparse-checkout" + worktree = args[0] + sparse = repository.path + "/worktrees/#{worktree.name}/info/sparse-checkout" diff_files = IO.readlines(sparse, chomp: true) expect(diff_files).to eq(expected_files) diff --git a/ruby/spec/lib/gitlab/git/worktree_spec.rb b/ruby/spec/lib/gitlab/git/worktree_spec.rb index ac4834d63..e240622f2 100644 --- a/ruby/spec/lib/gitlab/git/worktree_spec.rb +++ b/ruby/spec/lib/gitlab/git/worktree_spec.rb @@ -10,7 +10,7 @@ describe Gitlab::Git::Worktree do it 'generates valid path' do worktree = described_class.new(repo_path, prefix, 12345) - expect(worktree.path).to eq('/tmp/test/gitlab-worktree/rebase-12345') + expect(worktree.path).to match('/tmp/test/gitlab-worktree/rebase-12345-.{16}') end it 'rejects bad IDs' do |