diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-30 18:16:56 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-30 18:16:56 +0300 |
commit | fa2fec1d18330e4cd9803ff164db19e7367e3838 (patch) | |
tree | 91a9bf1c74eeff29690f33e3faf2b8ca87051af3 /lib/gitlab/middleware | |
parent | 8ee0746f54c19fcb8fe81058594aa8d373c5b7d7 (diff) |
Add latest changes from gitlab-org/security/gitlab@13-5-stable-ee
Diffstat (limited to 'lib/gitlab/middleware')
-rw-r--r-- | lib/gitlab/middleware/multipart.rb | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/lib/gitlab/middleware/multipart.rb b/lib/gitlab/middleware/multipart.rb index 7e98f1fc1f7..a6d8a778e05 100644 --- a/lib/gitlab/middleware/multipart.rb +++ b/lib/gitlab/middleware/multipart.rb @@ -31,6 +31,7 @@ module Gitlab RACK_ENV_KEY = 'HTTP_GITLAB_WORKHORSE_MULTIPART_FIELDS' JWT_PARAM_SUFFIX = '.gitlab-workhorse-upload' JWT_PARAM_FIXED_KEY = 'upload' + REWRITTEN_FIELD_NAME_MAX_LENGTH = 10000.freeze class Handler def initialize(env, message) @@ -41,6 +42,8 @@ module Gitlab def with_open_files @rewritten_fields.each do |field, tmp_path| + raise "invalid field: #{field.inspect}" unless valid_field_name?(field) + parsed_field = Rack::Utils.parse_nested_query(field) raise "unexpected field: #{field.inspect}" unless parsed_field.count == 1 @@ -108,6 +111,17 @@ module Gitlab private + def valid_field_name?(name) + # length validation + return false if name.size >= REWRITTEN_FIELD_NAME_MAX_LENGTH + + # brackets validation + return false if name.include?('[]') || name.start_with?('[', ']') + return false unless ::Gitlab::Utils.valid_brackets?(name, allow_nested: false) + + true + end + def package_allowed_paths packages_config = ::Gitlab.config.packages return [] unless allow_packages_storage_path?(packages_config) @@ -141,6 +155,8 @@ module Gitlab class HandlerForJWTParams < Handler def with_open_files @rewritten_fields.keys.each do |field| + raise "invalid field: #{field.inspect}" unless valid_field_name?(field) + parsed_field = Rack::Utils.parse_nested_query(field) raise "unexpected field: #{field.inspect}" unless parsed_field.count == 1 |