diff options
author | Jacob Vosmaer (GitLab) <jacob@gitlab.com> | 2016-09-09 14:33:08 +0300 |
---|---|---|
committer | Jacob Vosmaer (GitLab) <jacob@gitlab.com> | 2016-09-09 14:33:08 +0300 |
commit | b7e6da5a4baf1e6ac0e6d62ef6ff5a09de44d6f1 (patch) | |
tree | e99ed8e70ababbeaacf301345e8d356ff73c0409 /lib/ci | |
parent | 483a28a46bc3ad060749e36585912033440ae8c3 (diff) | |
parent | 7ad0bfac2301e6d5be9d0621edcf695ce9f9c01a (diff) |
Merge branch 'gitlab-workhorse-safeties' into 'master'
Security and safety improvements for gitlab-workhorse integration
Companion to https://gitlab.com/gitlab-org/gitlab-workhorse/merge_requests/60
- Use a custom content type when sending data to gitlab-workhorse
- Verify (using JWT and a shared secret on disk) that internal API requests came from gitlab-workhorse
This will allow us to build features in gitlab-workhorse that require
more trust, and protect us against programming mistakes in the future.
This is designed so that no action is required for installations from
source. For omnibus-gitlab we need to add code that manages the shared
secret.
See merge request !5907
Diffstat (limited to 'lib/ci')
-rw-r--r-- | lib/ci/api/builds.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/ci/api/builds.rb b/lib/ci/api/builds.rb index eb4947cdbf1..54db63d4628 100644 --- a/lib/ci/api/builds.rb +++ b/lib/ci/api/builds.rb @@ -101,6 +101,7 @@ module Ci # POST /builds/:id/artifacts/authorize post ":id/artifacts/authorize" do require_gitlab_workhorse! + Gitlab::Workhorse.verify_api_request!(headers) not_allowed! unless Gitlab.config.artifacts.enabled build = Ci::Build.find_by_id(params[:id]) not_found! unless build @@ -113,7 +114,8 @@ module Ci end status 200 - { TempPath: ArtifactUploader.artifacts_upload_path } + content_type Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE + Gitlab::Workhorse.artifact_upload_ok end # Upload artifacts to build - Runners only |