diff options
author | Marin Jankovski <marin@gitlab.com> | 2015-02-21 01:47:54 +0300 |
---|---|---|
committer | Marin Jankovski <marin@gitlab.com> | 2015-02-21 01:47:54 +0300 |
commit | 8ae3112b3f303c897c70952dd162589b1c394221 (patch) | |
tree | f1ee6b9013604a688cd06c75cc64650c564b3ff2 /config | |
parent | acc312fc257cd8534ccbbeab6e7bf70dca60279b (diff) | |
parent | 26d57a648c09f40bd1da3c81a0efe3661288b1af (diff) |
Merge branch 'upload-xss-access-control' into 'master'
Fix note attachments XSS and access control
Replaces the reverted #1528, as proposed in https://gitlab.com/gitlab-org/omnibus-gitlab/issues/434, as discussed with @dzaporozhets and as summarized in #2032.
@marin Could you take a look at the nginx config and apply it to Omnibus once this gets merged?
See merge request !1553
Diffstat (limited to 'config')
-rw-r--r-- | config/initializers/static_files.rb | 18 | ||||
-rw-r--r-- | config/routes.rb | 14 |
2 files changed, 32 insertions, 0 deletions
diff --git a/config/initializers/static_files.rb b/config/initializers/static_files.rb new file mode 100644 index 00000000000..bc4fe14bc1a --- /dev/null +++ b/config/initializers/static_files.rb @@ -0,0 +1,18 @@ +begin + app = Rails.application + + # The `ActionDispatch::Static` middleware intercepts requests for static files + # by checking if they exist in the `/public` directory. + # We're replacing it with our `Gitlab::Middleware::Static` that does the same, + # except ignoring `/uploads`, letting those go through to the GitLab Rails app. + + app.config.middleware.swap( + ActionDispatch::Static, + Gitlab::Middleware::Static, + app.paths["public"].first, + app.config.static_cache_control + ) +rescue + # If ActionDispatch::Static wasn't loaded onto the stack (like in production), + # an exception is raised. +end diff --git a/config/routes.rb b/config/routes.rb index 101c5f3c362..a6ffd28b2ea 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -75,7 +75,21 @@ Gitlab::Application.routes.draw do end end + # + # Uploads + # + scope path: :uploads do + # Note attachments and User/Group/Project avatars + get ":model/:mounted_as/:id/:filename", + to: "uploads#show", + constraints: { model: /note|user|group|project/, mounted_as: /avatar|attachment/, filename: /.+/ } + + # Project markdown uploads + get ":id/:secret/:filename", + to: "projects/uploads#show", + constraints: { id: /[a-zA-Z.0-9_\-]+\/[a-zA-Z.0-9_\-]+/, filename: /.+/ } + end # # Explore area |