Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq

7 files changed, 76 insertions, 4 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a51ac887aed..4b4f8fea31c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 11.5.5 (2018-12-20)
+
+### Security (1 change)
+
+- Fix persistent symlink in project import.
+
+
 ## 11.5.3 (2018-12-06)
 
 ### Security (1 change)
@@ -628,6 +635,13 @@ entry.
 - Check frozen string in style builds. (gfyoung)
 
 
+## 11.3.14 (2018-12-20)
+
+### Security (1 change)
+
+- Fix persistent symlink in project import.
+
+
 ## 11.3.13 (2018-12-13)
 
 ### Security (1 change)
diff --git a/changelogs/unreleased/security-import-symlink.yml b/changelogs/unreleased/security-import-symlink.yml
new file mode 100644
index 00000000000..fe1b6eccf9e
--- /dev/null
+++ b/changelogs/unreleased/security-import-symlink.yml
@@ -0,0 +1,5 @@
+---
+title: Fix persistent symlink in project import
+merge_request:
+author:
+type: security
diff --git a/lib/gitlab/import_export/command_line_util.rb b/lib/gitlab/import_export/command_line_util.rb
index c9e2a6a78d9..bdecff0931c 100644
--- a/lib/gitlab/import_export/command_line_util.rb
+++ b/lib/gitlab/import_export/command_line_util.rb
@@ -3,7 +3,8 @@
 module Gitlab
   module ImportExport
     module CommandLineUtil
-      DEFAULT_MODE = 0700
+      UNTAR_MASK = 'u+rwX,go+rX,go-w'
+      DEFAULT_DIR_MODE = 0700
 
       def tar_czf(archive:, dir:)
         tar_with_options(archive: archive, dir: dir, options: 'czf')
@@ -14,8 +15,8 @@ module Gitlab
       end
 
       def mkdir_p(path)
-        FileUtils.mkdir_p(path, mode: DEFAULT_MODE)
-        FileUtils.chmod(DEFAULT_MODE, path)
+        FileUtils.mkdir_p(path, mode: DEFAULT_DIR_MODE)
+        FileUtils.chmod(DEFAULT_DIR_MODE, path)
       end
 
       private
@@ -41,6 +42,7 @@ module Gitlab
 
       def untar_with_options(archive:, dir:, options:)
         execute(%W(tar -#{options} #{archive} -C #{dir}))
+        execute(%W(chmod -R #{UNTAR_MASK} #{dir}))
       end
 
       def execute(cmd)
diff --git a/spec/fixtures/symlink_export.tar.gz b/spec/fixtures/symlink_export.tar.gz
new file mode 100644
index 00000000000..f295f69c56c
--- /dev/null
+++ b/spec/fixtures/symlink_export.tar.gz
diff --git a/spec/lib/gitlab/import_export/command_line_util_spec.rb b/spec/lib/gitlab/import_export/command_line_util_spec.rb
new file mode 100644
index 00000000000..8e5e0aefac0
--- /dev/null
+++ b/spec/lib/gitlab/import_export/command_line_util_spec.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::ImportExport::CommandLineUtil do
+  include ExportFileHelper
+
+  let(:path) { "#{Dir.tmpdir}/symlink_test" }
+  let(:archive) { 'spec/fixtures/symlink_export.tar.gz' }
+  let(:shared) { Gitlab::ImportExport::Shared.new(nil) }
+
+  subject do
+    Class.new do
+      include Gitlab::ImportExport::CommandLineUtil
+
+      def initialize
+        @shared = Gitlab::ImportExport::Shared.new(nil)
+      end
+    end.new
+  end
+
+  before do
+    FileUtils.mkdir_p(path)
+    subject.untar_zxf(archive: archive, dir: path)
+  end
+
+  after do
+    FileUtils.rm_rf(path)
+  end
+
+  it 'has the right mask for project.json' do
+    expect(file_permissions("#{path}/project.json")).to eq(0755) # originally 777
+  end
+
+  it 'has the right mask for uploads' do
+    expect(file_permissions("#{path}/uploads")).to eq(0755) # originally 555
+  end
+end
diff --git a/spec/lib/gitlab/import_export/file_importer_spec.rb b/spec/lib/gitlab/import_export/file_importer_spec.rb
index bf34cefe18f..fbc9bcd2df5 100644
--- a/spec/lib/gitlab/import_export/file_importer_spec.rb
+++ b/spec/lib/gitlab/import_export/file_importer_spec.rb
@@ -1,6 +1,8 @@
 require 'spec_helper'
 
 describe Gitlab::ImportExport::FileImporter do
+  include ExportFileHelper
+
   let(:shared) { Gitlab::ImportExport::Shared.new(nil) }
   let(:storage_path) { "#{Dir.tmpdir}/file_importer_spec" }
   let(:valid_file) { "#{shared.export_path}/valid.json" }
@@ -8,6 +10,7 @@ describe Gitlab::ImportExport::FileImporter do
   let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
   let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
   let(:evil_symlink_file) { "#{shared.export_path}/.\nevil" }
+  let(:custom_mode_symlink_file) { "#{shared.export_path}/symlink.mode" }
 
   before do
     stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
@@ -45,10 +48,18 @@ describe Gitlab::ImportExport::FileImporter do
       expect(File.exist?(subfolder_symlink_file)).to be false
     end
 
+    it 'removes symlinks without any file permissions' do
+      expect(File.exist?(custom_mode_symlink_file)).to be false
+    end
+
     it 'does not remove a valid file' do
       expect(File.exist?(valid_file)).to be true
     end
 
+    it 'does not change a valid file permissions' do
+      expect(file_permissions(valid_file)).not_to eq(0000)
+    end
+
     it 'creates the file in the right subfolder' do
       expect(shared.export_path).to include('test/abcd')
     end
@@ -84,5 +95,7 @@ describe Gitlab::ImportExport::FileImporter do
     FileUtils.ln_s(valid_file, subfolder_symlink_file)
     FileUtils.ln_s(valid_file, hidden_symlink_file)
     FileUtils.ln_s(valid_file, evil_symlink_file)
+    FileUtils.ln_s(valid_file, custom_mode_symlink_file)
+    FileUtils.chmod_R(0000, custom_mode_symlink_file)
   end
 end
diff --git a/spec/support/import_export/export_file_helper.rb b/spec/support/import_export/export_file_helper.rb
index a49036c3b80..ac320934f5a 100644
--- a/spec/support/import_export/export_file_helper.rb
+++ b/spec/support/import_export/export_file_helper.rb
@@ -133,6 +133,6 @@ module ExportFileHelper
   end
 
   def file_permissions(file)
-    File.stat(file).mode & 0777
+    File.lstat(file).mode & 0777
   end
 end