diff options
author | Nick Thomas <nick@gitlab.com> | 2018-12-11 19:52:22 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2018-12-12 17:47:51 +0300 |
commit | c9d74cf24a39ad4390beced305ff9247beb5bf3e (patch) | |
tree | 94969e730f603faf9bbd5efc51bd61a6668b894d /app/services | |
parent | 8f4ec2509d9fd6f824cfd0a3ace90088df0153ed (diff) |
Validate LFS hrefs before downloading them
Diffstat (limited to 'app/services')
-rw-r--r-- | app/services/projects/lfs_pointers/lfs_download_service.rb | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/app/services/projects/lfs_pointers/lfs_download_service.rb b/app/services/projects/lfs_pointers/lfs_download_service.rb index 1c4a8d05be6..f9b9781ad5f 100644 --- a/app/services/projects/lfs_pointers/lfs_download_service.rb +++ b/app/services/projects/lfs_pointers/lfs_download_service.rb @@ -4,6 +4,8 @@ module Projects module LfsPointers class LfsDownloadService < BaseService + VALID_PROTOCOLS = %w[http https].freeze + # rubocop: disable CodeReuse/ActiveRecord def execute(oid, url) return unless project&.lfs_enabled? && oid.present? && url.present? @@ -11,6 +13,7 @@ module Projects return if LfsObject.exists?(oid: oid) sanitized_uri = Gitlab::UrlSanitizer.new(url) + Gitlab::UrlBlocker.validate!(sanitized_uri.sanitized_url, protocols: VALID_PROTOCOLS) with_tmp_file(oid) do |file| size = download_and_save_file(file, sanitized_uri) |