Fix credentials disclosure in mirroring failure

Merge branch 'security-scp-url-sanitizer-17-1' into '17-1-stable-ee' See merge request gitlab-org/security/gitlab!4448 Changelog: security

Fix credentials disclosure in mirroring failure
e616eef4 · Ola Oluro · GitLab Release Tools Bot · dd9081f3 · e616eef4 · e616eef4
Commit e616eef4 authored 5 months ago by Ola Oluro Committed by GitLab Release Tools Bot 5 months ago
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -8,6 +8,12 @@ class UrlSanitizer
    ALLOWED_WEB_SCHEMES = %w[http https].freeze
    SCHEMIFIED_SCHEME = 'glschemelessuri'
    SCHEMIFY_PLACEHOLDER = "#{SCHEMIFIED_SCHEME}://".freeze
+    # SCP style URLs have a format of [userinfo]@[host]:[path] with them not containing
+    # port arguments as that is passed along with a -P argument
+    SCP_REGEX = %r{
+      #{URI::REGEXP::PATTERN::USERINFO}@#{URI::REGEXP::PATTERN::HOST}:
+      (?!\b\d+\b) # use word boundaries to ensure no standalone digits after the colon
+    }x
    # URI::DEFAULT_PARSER.make_regexp will only match URLs with schemes or
    # relative URLs. This section will match schemeless URIs with userinfo
    # e.g. user:pass@gitlab.com but will not match scp-style URIs e.g.
@@ -20,9 +26,9 @@ class UrlSanitizer
    (?:
       #{URI::DEFAULT_PARSER.make_regexp(ALLOWED_SCHEMES)}
     |
+       (?# negative lookahead before the schemeless matcher ensures this isn't an SCP-style URL)
+       (?!#{SCP_REGEX})
       (?:(?:(?!@)[%#{URI::REGEXP::PATTERN::UNRESERVED}#{URI::REGEXP::PATTERN::RESERVED}])+(?:@))
-       (?# negative lookahead ensures this isn't an SCP-style URL: [host]:[rel_path|abs_path] server:path/to/file)
-       (?!#{URI::REGEXP::PATTERN::HOST}:(?:#{URI::REGEXP::PATTERN::REL_PATH}|#{URI::REGEXP::PATTERN::ABS_PATH}))
       #{URI::REGEXP::PATTERN::HOSTPORT}
    )
    }x

--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -33,6 +33,16 @@ def sanitize_url(url)
      urls << ['user:@server:project.git', 'user:@server:project.git']
      urls << [':pass@server:project.git', ':pass@server:project.git']
      urls << ['user:pass@server:project.git', 'user:pass@server:project.git']
+      urls << ['user:pass@server:123project.git', 'user:pass@server:123project.git']
+      urls << ['user:pass@server:1project3.git', 'user:pass@server:1project3.git']
+      urls << ['user:pass@server:project123.git', 'user:pass@server:project123.git']
+      urls << ['root@host:/root/ids/rules.tar.gz', 'root@host:/root/ids/rules.tar.gz']
+
+      # actual URLs that look like SCP-styled URLS
+      urls << ['username:password@test.com', '*****:*****@test.com']
+      urls << ['username:password@test.com:1234', '*****:*****@test.com:1234']
+      urls << ['username:password@test.com:1234/org/project', '*****:*****@test.com:1234/org/project']
+      urls << ['username:password@test.com:1234/org/project.git', '*****:*****@test.com:1234/org/project.git']
  
      # return an empty string for invalid URLs
      urls << ['ssh://', '']