diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 17:14:01 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 17:14:01 +0300 |
commit | a5baa12bfff6c41f6c9cf156edcf8e621f71848e (patch) | |
tree | 1a7f51da1300bca04a1bd070f12e66bc4955c832 /lib/gitlab/import_export | |
parent | bb51b8a098aa17b226d1e7941218512f8c835e08 (diff) |
Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee
Diffstat (limited to 'lib/gitlab/import_export')
-rw-r--r-- | lib/gitlab/import_export/decompressed_archive_size_validator.rb | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/lib/gitlab/import_export/decompressed_archive_size_validator.rb b/lib/gitlab/import_export/decompressed_archive_size_validator.rb index 61b37256964..a185eb4df1c 100644 --- a/lib/gitlab/import_export/decompressed_archive_size_validator.rb +++ b/lib/gitlab/import_export/decompressed_archive_size_validator.rb @@ -8,6 +8,8 @@ module Gitlab DEFAULT_MAX_BYTES = 10.gigabytes.freeze TIMEOUT_LIMIT = 210.seconds + ServiceError = Class.new(StandardError) + def initialize(archive_path:, max_bytes: self.class.max_bytes) @archive_path = archive_path @max_bytes = max_bytes @@ -29,6 +31,8 @@ module Gitlab pgrp = nil valid_archive = true + validate_archive_path + Timeout.timeout(TIMEOUT_LIMIT) do stdin, stdout, stderr, wait_thr = Open3.popen3(command, pgroup: true) stdin.close @@ -78,15 +82,29 @@ module Gitlab false end + def validate_archive_path + Gitlab::Utils.check_path_traversal!(@archive_path) + + raise(ServiceError, 'Archive path is not a string') unless @archive_path.is_a?(String) + raise(ServiceError, 'Archive path is a symlink') if File.lstat(@archive_path).symlink? + raise(ServiceError, 'Archive path is not a file') unless File.file?(@archive_path) + end + def command "gzip -dc #{@archive_path} | wc -c" end def log_error(error) + archive_size = begin + File.size(@archive_path) + rescue StandardError + nil + end + Gitlab::Import::Logger.info( message: error, import_upload_archive_path: @archive_path, - import_upload_archive_size: File.size(@archive_path) + import_upload_archive_size: archive_size ) end end |