Merge branch 'security-2754-fix-lfs-import-11-3' into 'security-11-3'

[11.3] Validate LFS hrefs before downloading them See merge request gitlab/gitlabhq!2700

Merge branch 'security-2754-fix-lfs-import-11-3' into 'security-11-3'
72af766a · John Jarvis · 60c89f44 · 72af766a · 72af766a · 72af766a
Commit 72af766a authored 6 years ago by John Jarvis
--- a/app/services/projects/lfs_pointers/lfs_download_service.rb
+++ b/app/services/projects/lfs_pointers/lfs_download_service.rb
@@ -4,12 +4,15 @@
 module Projects
  module LfsPointers
    class LfsDownloadService < BaseService
+      VALID_PROTOCOLS = %w[http https].freeze
+
      def execute(oid, url)
        return unless project&.lfs_enabled? && oid.present? && url.present?
  
        return if LfsObject.exists?(oid: oid)
  
        sanitized_uri = Gitlab::UrlSanitizer.new(url)
+        Gitlab::UrlBlocker.validate!(sanitized_uri.sanitized_url, protocols: VALID_PROTOCOLS)
  
        with_tmp_file(oid) do |file|
          size = download_and_save_file(file, sanitized_uri)

--- a/changelogs/unreleased/security-2754-fix-lfs-import.yml
+++ b/changelogs/unreleased/security-2754-fix-lfs-import.yml
+---
+title: Validate LFS hrefs before downloading them
+merge_request:
+author:
+type: security
--- a/spec/services/projects/lfs_pointers/lfs_download_service_spec.rb
+++ b/spec/services/projects/lfs_pointers/lfs_download_service_spec.rb
@@ -54,6 +54,18 @@ describe Projects::LfsPointers::LfsDownloadService do
      end
    end
  
+    context 'when a bad URL is used' do
+      where(download_link: ['/etc/passwd', 'ftp://example.com', 'http://127.0.0.2'])
+
+      with_them do
+        it 'does not download the file' do
+          expect(subject).not_to receive(:download_and_save_file)
+
+          expect { subject.execute(oid, download_link) }.not_to change { LfsObject.count }
+        end
+      end
+    end
+
    context 'when an lfs object with the same oid already exists'  do
      before do
        create(:lfs_object, oid: 'oid')