Validate LFS hrefs before downloading them

author: Nick Thomas <nick@gitlab.com> 2018-12-11 19:52:22 +0300
committer: Nick Thomas <nick@gitlab.com> 2018-12-12 17:47:51 +0300
commit: c9d74cf24a39ad4390beced305ff9247beb5bf3e (patch)
tree: 94969e730f603faf9bbd5efc51bd61a6668b894d /app/services
parent: 8f4ec2509d9fd6f824cfd0a3ace90088df0153ed (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/app/services/projects/lfs_pointers/lfs_download_service.rb b/app/services/projects/lfs_pointers/lfs_download_service.rb
index 1c4a8d05be6..f9b9781ad5f 100644
--- a/app/services/projects/lfs_pointers/lfs_download_service.rb
+++ b/app/services/projects/lfs_pointers/lfs_download_service.rb
@@ -4,6 +4,8 @@
 module Projects
   module LfsPointers
     class LfsDownloadService < BaseService
+      VALID_PROTOCOLS = %w[http https].freeze
+
       # rubocop: disable CodeReuse/ActiveRecord
       def execute(oid, url)
         return unless project&.lfs_enabled? && oid.present? && url.present?
@@ -11,6 +13,7 @@ module Projects
         return if LfsObject.exists?(oid: oid)
 
         sanitized_uri = Gitlab::UrlSanitizer.new(url)
+        Gitlab::UrlBlocker.validate!(sanitized_uri.sanitized_url, protocols: VALID_PROTOCOLS)
 
         with_tmp_file(oid) do |file|
           size = download_and_save_file(file, sanitized_uri)
author	Nick Thomas <nick@gitlab.com>	2018-12-11 19:52:22 +0300
committer	Nick Thomas <nick@gitlab.com>	2018-12-12 17:47:51 +0300
commit	c9d74cf24a39ad4390beced305ff9247beb5bf3e (patch)
tree	94969e730f603faf9bbd5efc51bd61a6668b894d /app/services
parent	8f4ec2509d9fd6f824cfd0a3ace90088df0153ed (diff)