Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
dd37a10d
Commit
dd37a10d
authored
Feb 23, 2015
by
Douwe Maan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Don't leak information about private project existence via Git-over-SSH/HTTP.
parent
039fd3c5
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
50 additions
and
41 deletions
+50
-41
lib/api/internal.rb
lib/api/internal.rb
+22
-17
lib/gitlab/backend/grack_auth.rb
lib/gitlab/backend/grack_auth.rb
+28
-24
No files found.
lib/api/internal.rb
View file @
dd37a10d
...
@@ -16,6 +16,17 @@ module API
...
@@ -16,6 +16,17 @@ module API
#
#
post
"/allowed"
do
post
"/allowed"
do
status
200
status
200
actor
=
if
params
[
:key_id
]
Key
.
find_by
(
id:
params
[
:key_id
])
elsif
params
[
:user_id
]
User
.
find_by
(
id:
params
[
:user_id
])
end
unless
actor
return
Gitlab
::
GitAccessStatus
.
new
(
false
,
'No such user or key'
)
end
project_path
=
params
[
:project
]
project_path
=
params
[
:project
]
# Check for *.wiki repositories.
# Check for *.wiki repositories.
...
@@ -32,26 +43,20 @@ module API
...
@@ -32,26 +43,20 @@ module API
project
=
Project
.
find_with_namespace
(
project_path
)
project
=
Project
.
find_with_namespace
(
project_path
)
unless
project
if
project
return
Gitlab
::
GitAccessStatus
.
new
(
false
,
'No such project'
)
status
=
access
.
check
(
actor
,
params
[
:action
],
project
,
params
[
:changes
]
)
end
end
actor
=
if
params
[
:key_id
]
if
project
&&
status
&&
status
.
allowed?
Key
.
find_by
(
id:
params
[
:key_id
])
status
elsif
params
[
:user_id
]
else
User
.
find_by
(
id:
params
[
:user_id
])
Gitlab
::
GitAccessStatus
.
new
(
false
,
'No such project'
)
end
unless
actor
return
Gitlab
::
GitAccessStatus
.
new
(
false
,
'No such user or key'
)
end
end
access
.
check
(
actor
,
params
[
:action
],
project
,
params
[
:changes
]
)
end
end
#
#
...
...
lib/gitlab/backend/grack_auth.rb
View file @
dd37a10d
...
@@ -10,8 +10,9 @@ module Grack
...
@@ -10,8 +10,9 @@ module Grack
@request
=
Rack
::
Request
.
new
(
env
)
@request
=
Rack
::
Request
.
new
(
env
)
@auth
=
Request
.
new
(
env
)
@auth
=
Request
.
new
(
env
)
# Need this patch due to the rails mount
@gitlab_ci
=
false
# Need this patch due to the rails mount
# Need this if under RELATIVE_URL_ROOT
# Need this if under RELATIVE_URL_ROOT
unless
Gitlab
.
config
.
gitlab
.
relative_url_root
.
empty?
unless
Gitlab
.
config
.
gitlab
.
relative_url_root
.
empty?
# If website is mounted using relative_url_root need to remove it first
# If website is mounted using relative_url_root need to remove it first
...
@@ -22,8 +23,12 @@ module Grack
...
@@ -22,8 +23,12 @@ module Grack
@env
[
'SCRIPT_NAME'
]
=
""
@env
[
'SCRIPT_NAME'
]
=
""
if
project
auth!
auth!
if
project
&&
authorized_request?
@app
.
call
(
env
)
elsif
@user
.
nil?
&&
!
@gitlab_ci
unauthorized
else
else
render_not_found
render_not_found
end
end
...
@@ -32,35 +37,30 @@ module Grack
...
@@ -32,35 +37,30 @@ module Grack
private
private
def
auth!
def
auth!
if
@auth
.
provided?
return
unless
@auth
.
provided?
return
bad_request
unless
@auth
.
basic?
# Authentication with username and password
login
,
password
=
@auth
.
credentials
# Allow authentication for GitLab CI service
return
bad_request
unless
@auth
.
basic?
# if valid token passed
if
gitlab_ci_request?
(
login
,
password
)
return
@app
.
call
(
env
)
end
@user
=
authenticate_user
(
login
,
password
)
# Authentication with username and password
login
,
password
=
@auth
.
credentials
if
@user
# Allow authentication for GitLab CI service
Gitlab
::
ShellEnv
.
set_env
(
@user
)
# if valid token passed
@env
[
'REMOTE_USER'
]
=
@auth
.
username
if
gitlab_ci_request?
(
login
,
password
)
end
@gitlab_ci
=
true
return
end
end
if
authorized_request?
@user
=
authenticate_user
(
login
,
password
)
@app
.
call
(
env
)
else
if
@user
unauthorized
Gitlab
::
ShellEnv
.
set_env
(
@user
)
@env
[
'REMOTE_USER'
]
=
@auth
.
username
end
end
end
end
def
gitlab_ci_request?
(
login
,
password
)
def
gitlab_ci_request?
(
login
,
password
)
if
login
==
"gitlab-ci-token"
&&
project
.
gitlab_ci?
if
login
==
"gitlab-ci-token"
&&
project
&&
project
.
gitlab_ci?
token
=
project
.
gitlab_ci_service
.
token
token
=
project
.
gitlab_ci_service
.
token
if
token
.
present?
&&
token
==
password
&&
git_cmd
==
'git-upload-pack'
if
token
.
present?
&&
token
==
password
&&
git_cmd
==
'git-upload-pack'
...
@@ -107,6 +107,8 @@ module Grack
...
@@ -107,6 +107,8 @@ module Grack
end
end
def
authorized_request?
def
authorized_request?
return
true
if
@gitlab_ci
case
git_cmd
case
git_cmd
when
*
Gitlab
::
GitAccess
::
DOWNLOAD_COMMANDS
when
*
Gitlab
::
GitAccess
::
DOWNLOAD_COMMANDS
if
user
if
user
...
@@ -141,7 +143,9 @@ module Grack
...
@@ -141,7 +143,9 @@ module Grack
end
end
def
project
def
project
@project
||=
project_by_path
(
@request
.
path_info
)
return
@project
if
defined?
(
@project
)
@project
=
project_by_path
(
@request
.
path_info
)
end
end
def
project_by_path
(
path
)
def
project_by_path
(
path
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment