From 56c0f733d55fda4a0ac46687702f1b2ab39115bc Mon Sep 17 00:00:00 2001
From: Yorick Peterse <yorickpeterse@gmail.com>
Date: Tue, 15 Jan 2019 12:49:47 +0000
Subject: Merge branch 'security-2770-verify-bundle-import-files-11-4' into
 'security-11-4'

[11.4] Validate bundle files before unpacking them

See merge request gitlab/gitlabhq!2776

(cherry picked from commit 6176b02aa6577079986410719884bd253dc5e7be)

e5e5e77e Validate bundle files before unpacking them
---
 spec/lib/gitlab/git/repository_spec.rb | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

(limited to 'spec/lib/gitlab/git/repository_spec.rb')

diff --git a/spec/lib/gitlab/git/repository_spec.rb b/spec/lib/gitlab/git/repository_spec.rb
index 51eb997a325..87bdf5e3ce0 100644
--- a/spec/lib/gitlab/git/repository_spec.rb
+++ b/spec/lib/gitlab/git/repository_spec.rb
@@ -1677,22 +1677,23 @@ describe Gitlab::Git::Repository, :seed_helper do
   end
 
   describe '#create_from_bundle' do
-    let(:bundle_path) { File.join(Dir.tmpdir, "repo-#{SecureRandom.hex}.bundle") }
+    let(:valid_bundle_path) { File.join(Dir.tmpdir, "repo-#{SecureRandom.hex}.bundle") }
+    let(:malicious_bundle_path) { Rails.root.join('spec/fixtures/malicious.bundle') }
     let(:project) { create(:project) }
     let(:imported_repo) { project.repository.raw }
 
     before do
-      expect(repository.bundle_to_disk(bundle_path)).to be_truthy
+      expect(repository.bundle_to_disk(valid_bundle_path)).to be_truthy
     end
 
     after do
-      FileUtils.rm_rf(bundle_path)
+      FileUtils.rm_rf(valid_bundle_path)
     end
 
     it 'creates a repo from a bundle file' do
       expect(imported_repo).not_to exist
 
-      result = imported_repo.create_from_bundle(bundle_path)
+      result = imported_repo.create_from_bundle(valid_bundle_path)
 
       expect(result).to be_truthy
       expect(imported_repo).to exist
@@ -1700,11 +1701,17 @@ describe Gitlab::Git::Repository, :seed_helper do
     end
 
     it 'creates a symlink to the global hooks dir' do
-      imported_repo.create_from_bundle(bundle_path)
+      imported_repo.create_from_bundle(valid_bundle_path)
       hooks_path = Gitlab::GitalyClient::StorageSettings.allow_disk_access { File.join(imported_repo.path, 'hooks') }
 
       expect(File.readlink(hooks_path)).to eq(Gitlab.config.gitlab_shell.hooks_path)
     end
+
+    it 'raises an error if the bundle is an attempted malicious payload' do
+      expect do
+        imported_repo.create_from_bundle(malicious_bundle_path)
+      end.to raise_error(::Gitlab::Git::BundleFile::InvalidBundleError)
+    end
   end
 
   describe '#checksum' do
-- 
cgit v1.2.3