diff options
author | Nick Thomas <nick@gitlab.com> | 2018-12-04 18:59:01 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2018-12-05 17:12:35 +0300 |
commit | 69645389e925a106f00fed555fde54c38f26816a (patch) | |
tree | baf7b8dd019934e8bf9d113566b4497d64c61437 /spec/lib/gitlab/utils_spec.rb | |
parent | 87186cbc922465875e299ed761ed4d6143ae501a (diff) |
Prevent a path traversal attack on global file templates
The API permits path traversal characters like '../' to be passed down
to the template finder. Detect these requests and cause them to fail
with a 500 response code.
Diffstat (limited to 'spec/lib/gitlab/utils_spec.rb')
-rw-r--r-- | spec/lib/gitlab/utils_spec.rb | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/spec/lib/gitlab/utils_spec.rb b/spec/lib/gitlab/utils_spec.rb index ad2c9d7f2af..fae32cff781 100644 --- a/spec/lib/gitlab/utils_spec.rb +++ b/spec/lib/gitlab/utils_spec.rb @@ -2,7 +2,33 @@ require 'spec_helper' describe Gitlab::Utils do delegate :to_boolean, :boolean_to_yes_no, :slugify, :random_string, :which, :ensure_array_from_string, - :bytes_to_megabytes, :append_path, to: :described_class + :bytes_to_megabytes, :append_path, :check_path_traversal!, to: :described_class + + describe '.check_path_traversal!' do + it 'detects path traversal at the start of the string' do + expect { check_path_traversal!('../foo') }.to raise_error(/Invalid path/) + end + + it 'detects path traversal at the start of the string, even to just the subdirectory' do + expect { check_path_traversal!('../') }.to raise_error(/Invalid path/) + end + + it 'detects path traversal in the middle of the string' do + expect { check_path_traversal!('foo/../../bar') }.to raise_error(/Invalid path/) + end + + it 'detects path traversal at the end of the string when slash-terminates' do + expect { check_path_traversal!('foo/../') }.to raise_error(/Invalid path/) + end + + it 'detects path traversal at the end of the string' do + expect { check_path_traversal!('foo/..') }.to raise_error(/Invalid path/) + end + + it 'does nothing for a safe string' do + expect(check_path_traversal!('./foo')).to eq('./foo') + end + end describe '.slugify' do { |