diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-24 17:36:53 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-24 17:36:53 +0300 |
| commit | cc6190d962e3050b0b16b6d0958d9227187d93ce (patch) | |
| tree | 0a32d4d150c77e7e91d177af73c7fdc262e07f1a | |
| parent | c6a4190175bcee8eb4f904d685a8656a90baa36a (diff) | |
Add latest changes from gitlab-org/security/gitlab@12-9-stable-ee
| -rw-r--r-- | changelogs/unreleased/security-ssrf-attachment-url.yml | 5 | ||||
| -rw-r--r-- | lib/gitlab/import_export/attribute_cleaner.rb | 9 | ||||
| -rw-r--r-- | spec/lib/gitlab/import_export/attribute_cleaner_spec.rb | 3 |
3 files changed, 16 insertions, 1 deletions
diff --git a/changelogs/unreleased/security-ssrf-attachment-url.yml b/changelogs/unreleased/security-ssrf-attachment-url.yml new file mode 100644 index 00000000000..bb5e3e54574 --- /dev/null +++ b/changelogs/unreleased/security-ssrf-attachment-url.yml @@ -0,0 +1,5 @@ +--- +title: Exclude Carrierwave remote URL methods from import +merge_request: +author: +type: security diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb index 3bfc059dcd3..018cb36fc58 100644 --- a/lib/gitlab/import_export/attribute_cleaner.rb +++ b/lib/gitlab/import_export/attribute_cleaner.rb @@ -11,7 +11,14 @@ module Gitlab 'discussion_id', 'custom_attributes' ].freeze - PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze + PROHIBITED_REFERENCES = Regexp.union( + /\Acached_markdown_version\Z/, + /_id\Z/, + /_ids\Z/, + /_html\Z/, + /attributes/, + /\Aremote_\w+_(url|urls|request_header)\Z/ # carrierwave automatically creates these attribute methods for uploads + ).freeze def self.clean(*args) new(*args).clean diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb index 12857f97f7c..65e99c0c3b8 100644 --- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb +++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb @@ -32,6 +32,9 @@ describe Gitlab::ImportExport::AttributeCleaner do 'issue_ids' => [1, 2, 3], 'merge_request_ids' => [1, 2, 3], 'note_ids' => [1, 2, 3], + 'remote_attachment_url' => 'http://something.dodgy', + 'remote_attachment_request_header' => 'bad value', + 'remote_attachment_urls' => %w(http://something.dodgy http://something.okay), 'attributes' => { 'issue_ids' => [1, 2, 3], 'merge_request_ids' => [1, 2, 3], |