Prevent filename bypass on artifact upload
The attack is outlined in https://gitlab.com/gitlab-org/gitlab/-/issues/213139. It exploits the fact that the artifacts endpoint reads `file.path` directly using `UploadedFile.from_params`. `file.path` can be given by the user and pass through workhorse. As such, it's an untrusted source and could contain the path of any file in `Dir.tmpdir`. This results in creating a `Ci::JobArtifact` pointing to an arbitrary temporary file. To counter this, this commit relies on the fact that the upload endpoint deals with a multipart upload. This type of uploads are handled by `Gitlab::Middleware::Multipart` which will read the upload file from a trusted source (the workhorse JWT token) and build a `UploadedFile` object out of it. Thus, in the Grape endpoint, we can simply read the param directly and validate that it's an `UploadedFile`.
Showing
Please register or sign in to comment