diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-10-30 16:01:04 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-10-30 16:01:17 +0300 |
| commit | a114562fb6b3b350fc08225f388234a82a2700a1 (patch) | |
| tree | 73331025fa884094aadef7d0d8c20c9d24d7f71a | |
| parent | fce23e13968a87a1e2de96a6e945166c372736f4 (diff) | |
Add latest changes from gitlab-org/security/gitlab@16-5-stable-ee
| -rw-r--r-- | lib/gitlab/ci/components/instance_path.rb | 10 | ||||
| -rw-r--r-- | spec/lib/gitlab/ci/components/instance_path_spec.rb | 14 |
2 files changed, 23 insertions, 1 deletions
diff --git a/lib/gitlab/ci/components/instance_path.rb b/lib/gitlab/ci/components/instance_path.rb index 551284d9099..df2b2a14fc6 100644 --- a/lib/gitlab/ci/components/instance_path.rb +++ b/lib/gitlab/ci/components/instance_path.rb @@ -5,6 +5,7 @@ module Gitlab module Components class InstancePath include Gitlab::Utils::StrongMemoize + include ::Gitlab::LoopHelpers LATEST_VERSION_KEYWORD = '~latest' @@ -49,11 +50,18 @@ module Gitlab # Given a path like "my-org/sub-group/the-project/path/to/component" # find the project "my-org/sub-group/the-project" by looking at all possible paths. def find_project_by_component_path(path) + return if path.start_with?('/') # exit early if path starts with `/` or it will loop forever. + possible_paths = [path] + index = nil + + loop_until(limit: 20) do + index = path.rindex('/') # find index of last `/` in a path + break unless index - while index = path.rindex('/') # find index of last `/` in a path possible_paths << (path = path[0..index - 1]) end + # remove shortest path as it is group possible_paths.pop diff --git a/spec/lib/gitlab/ci/components/instance_path_spec.rb b/spec/lib/gitlab/ci/components/instance_path_spec.rb index 0bdcfcfd546..4ba963b54b5 100644 --- a/spec/lib/gitlab/ci/components/instance_path_spec.rb +++ b/spec/lib/gitlab/ci/components/instance_path_spec.rb @@ -84,6 +84,20 @@ RSpec.describe Gitlab::Ci::Components::InstancePath, feature_category: :pipeline end end + shared_examples 'prevents infinite loop' do |prefix| + context "when the project path starts with '#{prefix}'" do + let(:project_path) { "#{prefix}#{project.full_path}" } + + it 'returns nil' do + result = path.fetch_content!(current_user: user) + expect(result).to be_nil + end + end + end + + it_behaves_like 'prevents infinite loop', '/' + it_behaves_like 'prevents infinite loop', '//' + context 'when fetching the latest version of a component' do let_it_be(:project) do create( |