Prevent filename bypass on artifact upload
The attack is outlined in https://gitlab.com/gitlab-org/gitlab/-/issues/213139. It exploits the fact that the artifacts endpoint reads `file.path` directly using `UploadedFile.from_params`. `file.path` can be given by the user and pass through workhorse. As such, it's an untrusted source and could contain the path of any file in `Dir.tmpdir`. This results in creating a `Ci::JobArtifact` pointing to an arbitrary temporary file. To counter this, this commit relies on the fact that the upload endpoint deals with a multipart upload. This type of uploads are handled by `Gitlab::Middleware::Multipart` which will read the upload file from a trusted source (the workhorse JWT token) and build a `UploadedFile` object out of it. Thus, in the Grape endpoint, we can simply read the param directly and validate that it's an `UploadedFile`.
显示
- GITLAB_WORKHORSE_VERSION 1 个添加, 1 个删除GITLAB_WORKHORSE_VERSION
- changelogs/unreleased/security-fix-issue-213139.yml 5 个添加, 0 个删除changelogs/unreleased/security-fix-issue-213139.yml
- ee/spec/lib/gitlab/middleware/multipart_spec.rb 10 个添加, 4 个删除ee/spec/lib/gitlab/middleware/multipart_spec.rb
- lib/api/runner.rb 4 个添加, 12 个删除lib/api/runner.rb
- lib/gitlab/middleware/multipart.rb 3 个添加, 0 个删除lib/gitlab/middleware/multipart.rb
- spec/lib/gitlab/middleware/multipart_spec.rb 11 个添加, 0 个删除spec/lib/gitlab/middleware/multipart_spec.rb
- spec/requests/api/runner_spec.rb 42 个添加, 19 个删除spec/requests/api/runner_spec.rb
- spec/support/helpers/workhorse_helpers.rb 27 个添加, 9 个删除spec/support/helpers/workhorse_helpers.rb
加载中
想要评论请 注册 或 登录