Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
6dfb8153
Commit
6dfb8153
authored
Jul 06, 2020
by
GitLab Release Tools Bot
Browse files
Options
Browse Files
Download
Plain Diff
Merge remote-tracking branch 'dev/master'
parents
60730fd8
fb0eb10b
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
63 additions
and
19 deletions
+63
-19
CHANGELOG-EE.md
CHANGELOG-EE.md
+21
-0
CHANGELOG.md
CHANGELOG.md
+12
-0
ee/lib/api/maven_packages.rb
ee/lib/api/maven_packages.rb
+3
-12
ee/spec/requests/api/maven_packages_spec.rb
ee/spec/requests/api/maven_packages_spec.rb
+27
-7
No files found.
CHANGELOG-EE.md
View file @
6dfb8153
Please view this file on the master branch, on stable branches it's out of date.
## 13.1.3 (2020-07-06)
### Security (1 change)
-
Maven packages upload endpoint is now properly using the uploaded file set by middleware.
## 13.1.2 (2020-07-01)
### Security (2 changes)
...
...
@@ -12,6 +19,13 @@ Please view this file on the master branch, on stable branches it's out of date.
-
No changes.
## 13.0.9 (2020-07-06)
### Security (1 change)
-
Maven packages upload endpoint is now properly using the uploaded file set by middleware.
## 13.0.8 (2020-07-01)
### Security (2 changes)
...
...
@@ -374,6 +388,13 @@ Please view this file on the master branch, on stable branches it's out of date.
-
Translate unauthenticated user string for Audit Event. !31856 (Sashi Kumar)
## 12.10.14 (2020-07-06)
### Security (1 change)
-
Maven packages upload endpoint is now properly using the uploaded file set by middleware.
## 12.10.13 (2020-07-01)
### Security (2 changes)
...
...
CHANGELOG.md
View file @
6dfb8153
...
...
@@ -2,6 +2,10 @@
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
entry.
## 13.1.3 (2020-07-06)
-
No changes.
## 13.1.2 (2020-07-01)
### Security (18 changes)
...
...
@@ -40,6 +44,10 @@ entry.
-
Periodically recompute project authorizations. !34071
## 13.0.9 (2020-07-06)
-
No changes.
## 13.0.8 (2020-07-01)
### Security (18 changes)
...
...
@@ -694,6 +702,10 @@ entry.
-
Use visitUrl in Alert management. !32414
## 12.10.14 (2020-07-06)
-
No changes.
## 12.10.13 (2020-07-01)
### Security (15 changes)
...
...
ee/lib/api/maven_packages.rb
View file @
6dfb8153
...
...
@@ -216,13 +216,7 @@ module API
params
do
requires
:path
,
type:
String
,
desc:
'Package path'
requires
:file_name
,
type:
String
,
desc:
'Package file name'
,
regexp:
Gitlab
::
Regex
.
maven_file_name_regex
optional
'file.path'
,
type:
String
,
desc:
%q(path to locally stored body (generated by Workhorse))
optional
'file.name'
,
type:
String
,
desc:
%q(real filename as send in Content-Disposition (generated by Workhorse))
optional
'file.type'
,
type:
String
,
desc:
%q(real content type as send in Content-Type (generated by Workhorse))
optional
'file.size'
,
type:
Integer
,
desc:
%q(real size of file (generated by Workhorse))
optional
'file.md5'
,
type:
String
,
desc:
%q(md5 checksum of the file (generated by Workhorse))
optional
'file.sha1'
,
type:
String
,
desc:
%q(sha1 checksum of the file (generated by Workhorse))
optional
'file.sha256'
,
type:
String
,
desc:
%q(sha256 checksum of the file (generated by Workhorse))
requires
:file
,
type:
::
API
::
Validations
::
Types
::
WorkhorseFile
,
desc:
'The package file to be published (generated by Multipart middleware)'
end
route_setting
:authentication
,
job_token_allowed:
true
,
deploy_token_allowed:
true
put
':id/packages/maven/*path/:file_name'
,
requirements:
MAVEN_ENDPOINT_REQUIREMENTS
do
...
...
@@ -230,9 +224,6 @@ module API
file_name
,
format
=
extract_format
(
params
[
:file_name
])
uploaded_file
=
UploadedFile
.
from_params
(
params
,
:file
,
::
Packages
::
PackageFileUploader
.
workhorse_local_upload_path
)
bad_request!
(
'Missing package file!'
)
unless
uploaded_file
package
=
::
Packages
::
Maven
::
FindOrCreatePackageService
.
new
(
user_project
,
current_user
,
params
.
merge
(
build:
current_authenticated_job
)).
execute
...
...
@@ -244,14 +235,14 @@ module API
package_file
=
::
Packages
::
PackageFileFinder
.
new
(
package
,
file_name
).
execute!
verify_package_file
(
package_file
,
uploaded_file
)
verify_package_file
(
package_file
,
params
[
:file
]
)
when
'md5'
nil
else
track_event
(
'push_package'
)
if
jar_file?
(
format
)
file_params
=
{
file:
uploaded_file
,
file:
params
[
:file
]
,
size:
params
[
'file.size'
],
file_name:
file_name
,
file_type:
params
[
'file.type'
],
...
...
ee/spec/requests/api/maven_packages_spec.rb
View file @
6dfb8153
...
...
@@ -2,6 +2,8 @@
require
'spec_helper'
RSpec
.
describe
API
::
MavenPackages
do
include
WorkhorseHelpers
let_it_be
(
:group
)
{
create
(
:group
)
}
let_it_be
(
:user
)
{
create
(
:user
)
}
let_it_be
(
:project
,
reload:
true
)
{
create
(
:project
,
:public
,
namespace:
group
)
}
...
...
@@ -484,6 +486,9 @@ RSpec.describe API::MavenPackages do
end
describe
'PUT /api/v4/projects/:id/packages/maven/*path/:file_name'
do
let
(
:workhorse_token
)
{
JWT
.
encode
({
'iss'
=>
'gitlab-workhorse'
},
Gitlab
::
Workhorse
.
secret
,
'HS256'
)
}
let
(
:workhorse_header
)
{
{
'GitLab-Workhorse'
=>
'1.0'
,
Gitlab
::
Workhorse
::
INTERNAL_API_REQUEST_HEADER
=>
workhorse_token
}
}
let
(
:send_rewritten_field
)
{
true
}
let
(
:file_upload
)
{
fixture_file_upload
(
'spec/fixtures/packages/maven/my-app-1.0-20180724.124855-1.jar'
)
}
before
do
...
...
@@ -511,13 +516,18 @@ RSpec.describe API::MavenPackages do
expect
(
response
).
to
have_gitlab_http_status
(
:forbidden
)
end
context
'when params from workhorse are correct'
do
let
(
:params
)
do
{
'file.path'
=>
file_upload
.
path
,
'file.name'
=>
file_upload
.
original_filename
}
context
'without workhorse rewritten field'
do
let
(
:send_rewritten_field
)
{
false
}
it
'rejects the request'
do
upload_file_with_token
expect
(
response
).
to
have_gitlab_http_status
(
:bad_request
)
end
end
context
'when params from workhorse are correct'
do
let
(
:params
)
{
{
file:
file_upload
}
}
it
'rejects a malicious request'
do
put
api
(
"/projects/
#{
project
.
id
}
/packages/maven/com/example/my-app/
#{
version
}
/%2e%2e%2f.ssh%2fauthorized_keys"
),
params:
params
,
headers:
headers_with_token
...
...
@@ -526,6 +536,8 @@ RSpec.describe API::MavenPackages do
end
context
'without workhorse header'
do
let
(
:workhorse_header
)
{
{}
}
subject
{
upload_file_with_token
(
params
)
}
it_behaves_like
'package workhorse uploads'
...
...
@@ -572,7 +584,15 @@ RSpec.describe API::MavenPackages do
end
def
upload_file
(
params
=
{},
request_headers
=
headers
)
put
api
(
"/projects/
#{
project
.
id
}
/packages/maven/com/example/my-app/
#{
version
}
/my-app-1.0-20180724.124855-1.jar"
),
params:
params
,
headers:
request_headers
url
=
"/projects/
#{
project
.
id
}
/packages/maven/com/example/my-app/
#{
version
}
/my-app-1.0-20180724.124855-1.jar"
workhorse_finalize
(
api
(
url
),
method: :put
,
file_key: :file
,
params:
params
,
headers:
request_headers
,
send_rewritten_field:
send_rewritten_field
)
end
def
upload_file_with_token
(
params
=
{},
request_headers
=
headers_with_token
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment