diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 15:42:22 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 15:43:16 +0300 |
commit | 9128a397824d6e402bc5098fc5427c8280604881 (patch) | |
tree | 2122740a330c8a358aab0c140d019581e7e84762 /spec | |
parent | 1556e3ab6610ebb6691fd28078ce5df020f15989 (diff) |
Merge branch 'security-2767-verify-lfs-finalize-from-workhorse-11-6' into 'security-11-6'
[11.6] Verify that LFS upload requests are genuine
See merge request gitlab/gitlabhq!2863
(cherry picked from commit 6154e199fee175685e24a5b0b0d57f5971b1ed08)
edb61807 Verify that LFS upload requests are genuine
Diffstat (limited to 'spec')
-rw-r--r-- | spec/requests/lfs_http_spec.rb | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb index e349181b794..1b0388444c3 100644 --- a/spec/requests/lfs_http_spec.rb +++ b/spec/requests/lfs_http_spec.rb @@ -1086,6 +1086,12 @@ describe 'Git LFS API and storage' do end end + context 'and request to finalize the upload is not sent by gitlab-workhorse' do + it 'fails with a JWT decode error' do + expect { put_finalize(lfs_tmp_file, verified: false) }.to raise_error(JWT::DecodeError) + end + end + context 'and workhorse requests upload finalize for a new lfs object' do before do lfs_object.destroy @@ -1347,8 +1353,12 @@ describe 'Git LFS API and storage' do context 'when pushing the same lfs object to the second project' do before do - put "#{second_project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", nil, - headers.merge('X-Gitlab-Lfs-Tmp' => lfs_tmp_file).compact + finalize_headers = headers + .merge('X-Gitlab-Lfs-Tmp' => lfs_tmp_file) + .merge(workhorse_internal_api_request_header) + + put "#{second_project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", + nil, finalize_headers end it 'responds with status 200' do @@ -1369,7 +1379,7 @@ describe 'Git LFS API and storage' do put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}/authorize", nil, authorize_headers end - def put_finalize(lfs_tmp = lfs_tmp_file, with_tempfile: false, args: {}) + def put_finalize(lfs_tmp = lfs_tmp_file, with_tempfile: false, verified: true, args: {}) upload_path = LfsObjectUploader.workhorse_local_upload_path file_path = upload_path + '/' + lfs_tmp if lfs_tmp @@ -1383,11 +1393,14 @@ describe 'Git LFS API and storage' do 'file.name' => File.basename(file_path) } - put_finalize_with_args(args.merge(extra_args).compact) + put_finalize_with_args(args.merge(extra_args).compact, verified: verified) end - def put_finalize_with_args(args) - put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", args, headers + def put_finalize_with_args(args, verified:) + finalize_headers = headers + finalize_headers.merge!(workhorse_internal_api_request_header) if verified + + put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", args, finalize_headers end def lfs_tmp_file |