Track web server access to Settings.pages.path

9dae1a2e · Jacob Vosmaer · Jan Provaznik · 361cf070 · 9dae1a2e · 9dae1a2e
Commit 9dae1a2e authored Jul 28, 2020 by Jacob Vosmaer Committed by Jan Provaznik Jul 28, 2020
4 changed files
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -283,6 +283,7 @@ Settings.sentry['clientside_dsn'] ||= nil
 # Pages
 #
 Settings['pages'] ||= Settingslogic.new({})
+Settings['pages'] = ::Gitlab::Pages::Settings.new(Settings.pages) # For path access detection https://gitlab.com/gitlab-org/gitlab/-/issues/230702
 Settings.pages['enabled']           = false if Settings.pages['enabled'].nil?
 Settings.pages['access_control']    = false if Settings.pages['access_control'].nil?
 Settings.pages['path']              = Settings.absolute(Settings.pages['path'] || File.join(Settings.shared['path'], "pages"))

--- a/lib/gitlab/pages.rb
+++ b/lib/gitlab/pages.rb
 # frozen_string_literal: true
 module Gitlab
-  class Pages
+  module Pages
    VERSION = File.read(Rails.root.join("GITLAB_PAGES_VERSION")).strip.freeze
    INTERNAL_API_REQUEST_HEADER = 'Gitlab-Pages-Api-Request'.freeze
    MAX_SIZE = 1.terabyte

--- a/lib/gitlab/pages/settings.rb
+++ b/lib/gitlab/pages/settings.rb
+# frozen_string_literal: true
+module Gitlab
+  module Pages
+    class Settings < ::SimpleDelegator
+      DiskAccessDenied = Class.new(StandardError)
+      def path
+        if ::Gitlab::Runtime.web_server? && ENV['GITLAB_PAGES_DENY_DISK_ACCESS'] == '1'
+          begin
+            raise DiskAccessDenied
+          rescue DiskAccessDenied => ex
+            ::Gitlab::ErrorTracking.track_exception(ex)
+          end
+        end
+        super
+      end
+    end
+  end
+end
--- a/spec/lib/gitlab/pages/settings_spec.rb
+++ b/spec/lib/gitlab/pages/settings_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe Gitlab::Pages::Settings do
+  describe '#path' do
+    subject { described_class.new(settings).path }
+    let(:settings) { double(path: 'the path') }
+    it { is_expected.to eq('the path') }
+    it 'does not track calls' do
+      expect(::Gitlab::ErrorTracking).not_to receive(:track_exception)
+      subject
+    end
+    context 'when running under a web server' do
+      before do
+        allow(::Gitlab::Runtime).to receive(:web_server?).and_return(true)
+      end
+      it { is_expected.to eq('the path') }
+      it 'does not track calls' do
+        expect(::Gitlab::ErrorTracking).not_to receive(:track_exception)
+        subject
+      end
+      context 'with the env var' do
+        before do
+          stub_env('GITLAB_PAGES_DENY_DISK_ACCESS', '1')
+        end
+        it { is_expected.to eq('the path') }
+        it 'tracks a DiskAccessDenied exception' do
+          expect(::Gitlab::ErrorTracking).to receive(:track_exception)
+            .with(instance_of(described_class::DiskAccessDenied)).and_call_original
+          subject
+        end
+      end
+    end
+  end
+end