lib/gitlab/middleware/path_traversal_check.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

# frozen_string_literal: true

module Gitlab
  module Middleware
    class PathTraversalCheck
      PATH_TRAVERSAL_MESSAGE = 'Potential path traversal attempt detected'

      EXCLUDED_EXACT_PATHS = %w[/search].freeze
      EXCLUDED_PATH_PREFIXES = %w[/search/].freeze

      EXCLUDED_API_PATHS = %w[/search].freeze
      EXCLUDED_PROJECT_API_PATHS = %w[/search].freeze
      EXCLUDED_GROUP_API_PATHS = %w[/search].freeze

      API_PREFIX = %r{/api/[^/]+}
      API_SUFFIX = %r{(?:\.[^/]+)?}

      EXCLUDED_API_PATHS_REGEX = [
        EXCLUDED_API_PATHS.map do |path|
          %r{\A#{API_PREFIX}#{path}#{API_SUFFIX}\z}
        end.freeze,
        EXCLUDED_PROJECT_API_PATHS.map do |path|
          %r{\A#{API_PREFIX}/projects/[^/]+(?:/-)?#{path}#{API_SUFFIX}\z}
        end.freeze,
        EXCLUDED_GROUP_API_PATHS.map do |path|
          %r{\A#{API_PREFIX}/groups/[^/]+(?:/-)?#{path}#{API_SUFFIX}\z}
        end.freeze
      ].flatten.freeze

      def initialize(app)
        @app = app
      end

      def call(env)
        if Feature.enabled?(:check_path_traversal_middleware, Feature.current_request)
          log_params = {}

          execution_time = measure_execution_time do
            request = ::Rack::Request.new(env.dup)
            check(request, log_params) unless excluded?(request)
          end

          log_params[:duration_ms] = execution_time.round(5) if execution_time

          log(log_params) unless log_params.empty?
        end

        @app.call(env)
      end

      private

      def measure_execution_time(&blk)
        if Feature.enabled?(:log_execution_time_path_traversal_middleware, Feature.current_request)
          Benchmark.ms(&blk)
        else
          yield

          nil
        end
      end

      def check(request, log_params)
        decoded_fullpath = CGI.unescape(request.fullpath)
        ::Gitlab::PathTraversal.check_path_traversal!(decoded_fullpath, skip_decoding: true)
      rescue ::Gitlab::PathTraversal::PathTraversalAttackError
        log_params[:method] = request.request_method
        log_params[:fullpath] = request.fullpath
        log_params[:message] = PATH_TRAVERSAL_MESSAGE
      end

      def excluded?(request)
        path = request.path

        return true if path.in?(EXCLUDED_EXACT_PATHS)
        return true if EXCLUDED_PATH_PREFIXES.any? { |p| path.start_with?(p) }
        return true if EXCLUDED_API_PATHS_REGEX.any? { |r| path.match?(r) }

        false
      end

      def log(payload)
        Gitlab::AppLogger.warn(
          payload.merge(class_name: self.class.name)
        )
      end
    end
  end
end