diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/import_export/command_line_util.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/import_export/project/relation_factory.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/search/abuse_detection.rb | 32 | ||||
-rw-r--r-- | lib/gitlab/search/params.rb | 2 |
4 files changed, 33 insertions, 5 deletions
diff --git a/lib/gitlab/import_export/command_line_util.rb b/lib/gitlab/import_export/command_line_util.rb index dfe0815f0a0..ea91b01afdb 100644 --- a/lib/gitlab/import_export/command_line_util.rb +++ b/lib/gitlab/import_export/command_line_util.rb @@ -141,7 +141,7 @@ module Gitlab raise HardLinkError, 'File shares hard link' if Gitlab::Utils::FileInfo.shares_hard_link?(filepath) - FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath) + FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath) || File.pipe?(filepath) end true diff --git a/lib/gitlab/import_export/project/relation_factory.rb b/lib/gitlab/import_export/project/relation_factory.rb index 943c997a056..8e34a6d73ba 100644 --- a/lib/gitlab/import_export/project/relation_factory.rb +++ b/lib/gitlab/import_export/project/relation_factory.rb @@ -81,6 +81,8 @@ module Gitlab private + attr_reader :relation_hash, :user + def invalid_relation? # Do not create relation if it is a legacy trigger legacy_trigger? diff --git a/lib/gitlab/search/abuse_detection.rb b/lib/gitlab/search/abuse_detection.rb index 1e4169f3fd7..1fd7c6cfe8d 100644 --- a/lib/gitlab/search/abuse_detection.rb +++ b/lib/gitlab/search/abuse_detection.rb @@ -6,6 +6,7 @@ module Gitlab include ActiveModel::Validations include AbuseValidators + MAX_PIPE_SYNTAX_FILTERS = 5 ABUSIVE_TERM_SIZE = 100 ALLOWED_CHARS_REGEX = %r{\A[[:alnum:]_\-\/\.!]+\z} @@ -57,10 +58,18 @@ module Gitlab validates :query_string, :repository_ref, :project_ref, no_abusive_coercion_from_string: true - attr_reader(*READABLE_PARAMS) + validate :no_abusive_pipes, if: :detect_abusive_pipes - def initialize(params) - READABLE_PARAMS.each { |p| instance_variable_set("@#{p}", params[p]) } + attr_reader(*READABLE_PARAMS) + attr_reader :raw_params, :detect_abusive_pipes + + def initialize(params, detect_abusive_pipes: true) + @raw_params = {} + READABLE_PARAMS.each do |p| + instance_variable_set("@#{p}", params[p]) + @raw_params[p] = params[p] + end + @detect_abusive_pipes = detect_abusive_pipes end private @@ -76,6 +85,23 @@ module Gitlab def stop_word_search? STOP_WORDS.include? query_string end + + def no_abusive_pipes + pipes = query_string.to_s.split('|') + errors.add(:query_string, 'too many pipe syntax filters') if pipes.length > MAX_PIPE_SYNTAX_FILTERS + + pipes.each do |q| + self.class.new(raw_params.merge(query_string: q), detect_abusive_pipes: false).tap do |p| + p.validate + + p.errors.messages_for(:query_string).each do |msg| + next if errors.added?(:query_string, msg) + + errors.add(:query_string, msg) + end + end + end + end end end end diff --git a/lib/gitlab/search/params.rb b/lib/gitlab/search/params.rb index 6eb24a92be6..a7896b7d80d 100644 --- a/lib/gitlab/search/params.rb +++ b/lib/gitlab/search/params.rb @@ -81,7 +81,7 @@ module Gitlab end def search_terms - @search_terms ||= query_string.split.select { |word| word.length >= MIN_TERM_LENGTH } + @search_terms ||= query_string.split end def not_too_many_terms |