Merge branch 'security-1-1-fix-toctou-race' into '1-1-stable'v1.1.1 1-1-stable

[1.1] Fix TOCTOU race condition when serving files See merge request gitlab/gitlab-pages!5
author: Steve Azzopardi <sazzopardi@gitlab.com> 2018-11-26 10:47:12 +0300
committer: Steve Azzopardi <sazzopardi@gitlab.com> 2018-11-26 10:47:12 +0300
commit: aedbb005ce81270238e21699aa66ed46081ee94d (patch)
tree: 6a1e14e0c798ea0cd85e0866738f6e5bc9026357 /internal/domain/domain_test.go
parent: 5cffa83537890540d74664a43e828cd81a164980 (diff)
parent: d4586dad212c0048d2c535392ec4a53ebdf0c51c (diff)
1 files changed, 23 insertions, 0 deletions
diff --git a/internal/domain/domain_test.go b/internal/domain/domain_test.go
index 39976bfe..df4a7fee 100644
--- a/internal/domain/domain_test.go
+++ b/internal/domain/domain_test.go
@@ -361,6 +361,29 @@ func TestCacheControlHeaders(t *testing.T) {
 	assert.WithinDuration(t, now.UTC().Add(10*time.Minute), expiresTime.UTC(), time.Minute)
 }
 
+func TestOpenNoFollow(t *testing.T) {
+	tmpfile, err := ioutil.TempFile("", "link-test")
+	require.NoError(t, err)
+	defer tmpfile.Close()
+
+	orig := tmpfile.Name()
+	softLink := orig + ".link"
+	defer os.Remove(orig)
+
+	source, err := openNoFollow(orig)
+	require.NoError(t, err)
+	require.NotNil(t, source)
+	defer source.Close()
+
+	err = os.Symlink(orig, softLink)
+	require.NoError(t, err)
+	defer os.Remove(softLink)
+
+	link, err := openNoFollow(softLink)
+	require.Error(t, err)
+	require.Nil(t, link)
+}
+
 var chdirSet = false
 
 func setUpTests() {
author	Steve Azzopardi <sazzopardi@gitlab.com>	2018-11-26 10:47:12 +0300
committer	Steve Azzopardi <sazzopardi@gitlab.com>	2018-11-26 10:47:12 +0300
commit	aedbb005ce81270238e21699aa66ed46081ee94d (patch)
tree	6a1e14e0c798ea0cd85e0866738f6e5bc9026357 /internal/domain/domain_test.go
parent	5cffa83537890540d74664a43e828cd81a164980 (diff)
parent	d4586dad212c0048d2c535392ec4a53ebdf0c51c (diff)