Improve files API. Relative path check added. Create dir for new file if missing

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Improve files API. Relative path check added. Create dir for new file if missing
3f3b202c · Dmitriy Zaporozhets · a1d88f0f · 3f3b202c · 3f3b202c · 3f3b202c
Unverified Commit 3f3b202c authored 11 years ago by Dmitriy Zaporozhets
--- a/lib/gitlab/satellite/files/delete_file_action.rb
+++ b/lib/gitlab/satellite/files/delete_file_action.rb
@@ -17,6 +17,13 @@ module Gitlab
  
          # update the file in the satellite's working dir
          file_path_in_satellite = File.join(repo.working_dir, file_path)
+
+          # Prevent relative links
+          unless safe_path?(file_path_in_satellite)
+            Gitlab::GitLogger.error("FileAction: Relative path not allowed")
+            return false
+          end
+
          File.delete(file_path_in_satellite)
  
          # add removed file

--- a/lib/gitlab/satellite/files/edit_file_action.rb
+++ b/lib/gitlab/satellite/files/edit_file_action.rb
@@ -19,6 +19,13 @@ module Gitlab
  
          # update the file in the satellite's working dir
          file_path_in_satellite = File.join(repo.working_dir, file_path)
+
+          # Prevent relative links
+          unless safe_path?(file_path_in_satellite)
+            Gitlab::GitLogger.error("FileAction: Relative path not allowed")
+            return false
+          end
+
          File.open(file_path_in_satellite, 'w') { |f| f.write(content) }
  
          # commit the changes

--- a/lib/gitlab/satellite/files/file_action.rb
+++ b/lib/gitlab/satellite/files/file_action.rb
@@ -8,6 +8,10 @@ module Gitlab
        @file_path = file_path
        @ref = ref
      end
+
+      def safe_path?(path)
+        File.absolute_path(path) == path
+      end
    end
  end
 end
--- a/lib/gitlab/satellite/files/new_file_action.rb
+++ b/lib/gitlab/satellite/files/new_file_action.rb
@@ -16,15 +16,19 @@ module Gitlab
          # create target branch in satellite at the corresponding commit from bare repo
          repo.git.checkout({raise: true, timeout: true, b: true}, ref, "origin/#{ref}")
  
-          # update the file in the satellite's working dir
          file_path_in_satellite = File.join(repo.working_dir, file_path)
+          dir_name_in_satellite = File.dirname(file_path_in_satellite)
  
          # Prevent relative links
-          unless File.absolute_path(file_path_in_satellite) == file_path_in_satellite
-            Gitlab::GitLogger.error("NewFileAction: Relative path not allowed")
+          unless safe_path?(file_path_in_satellite)
+            Gitlab::GitLogger.error("FileAction: Relative path not allowed")
            return false
          end
  
+          # Create dir if not exists
+          FileUtils.mkdir_p(dir_name_in_satellite)
+
+          # Write file
          File.open(file_path_in_satellite, 'w') { |f| f.write(content) }
  
          # add new file