Merge branch 'security-dependency-proxy-path-traversal' into 'master'

Add constraint to dependency proxy route See merge request gitlab-org/security/gitlab!77

Merge branch 'security-dependency-proxy-path-traversal' into 'master'
Add constraint to dependency proxy route See merge request gitlab-org/security/gitlab!77
b3c2e64a · GitLab Release Tools Bot · bb3469c8 · b16946b8 · b3c2e64a · b3c2e64a
Commit b3c2e64a authored Jan 28, 2020 by GitLab Release Tools Bot
5 changed files
--- a/changelogs/unreleased/security-dependency-proxy-path-traversal.yml
+++ b/changelogs/unreleased/security-dependency-proxy-path-traversal.yml
+---
+title: Add constraint to group dependency proxy endpoint param
+merge_request:
+author:
+type: security
--- a/ee/config/routes/group.rb
+++ b/ee/config/routes/group.rb
@@ -151,7 +151,7 @@ end
 scope format: false do
  get 'v2', to: proc { [200, {}, ['']] }

-  constraints image: Gitlab::PathRegex.container_image_regex do
+  constraints image: Gitlab::PathRegex.container_image_regex, sha: Gitlab::PathRegex.container_image_blob_sha_regex do
    get 'v2/*group_id/dependency_proxy/containers/*image/manifests/*tag' => 'groups/dependency_proxy_for_containers#manifest'
    get 'v2/*group_id/dependency_proxy/containers/*image/blobs/:sha' => 'groups/dependency_proxy_for_containers#blob'
  end

--- a/ee/lib/ee/gitlab/path_regex.rb
+++ b/ee/lib/ee/gitlab/path_regex.rb
@@ -13,6 +13,10 @@ module EE
        def container_image_regex
          @container_image_regex ||= %r{([\w\.-]+\/){0,1}[\w\.-]+}.freeze
        end
+
+        def container_image_blob_sha_regex
+          @container_image_blob_sha_regex ||= %r{[\w+.-]+:?[\w]+}.freeze
+        end
      end
    end
  end

--- a/ee/spec/lib/ee/gitlab/path_regex_spec.rb
+++ b/ee/spec/lib/ee/gitlab/path_regex_spec.rb
@@ -19,4 +19,17 @@ describe Gitlab::PathRegex do
      expect(subject.match('ruby:2.3.6')[0]).to eq('ruby')
    end
  end
+
+  describe '.container_image_blob_sha_regex' do
+    subject { described_class.container_image_blob_sha_regex }
+
+    it { is_expected.to match('sha256:asdf1234567890ASDF') }
+    it { is_expected.to match('foo:123') }
+    it { is_expected.to match('a12bc3f590szp') }
+    it { is_expected.not_to match('') }
+
+    it 'does not match malicious characters' do
+      expect(subject.match('sha256:asdf1234%2f')[0]).to eq('sha256:asdf1234')
+    end
+  end
 end
--- a/ee/spec/routing/group_routing_spec.rb
+++ b/ee/spec/routing/group_routing_spec.rb
@@ -60,6 +60,16 @@ describe 'Group routing', "routing" do
        expect(get('/v2/gitlabhq/dependency_proxy/containers/ruby/blobs/abc12345'))
          .to route_to('groups/dependency_proxy_for_containers#blob', group_id: 'gitlabhq', image: 'ruby', sha: 'abc12345')
      end
+
+      it "does not route to #blob with an invalid sha" do
+        expect(get("/v2/gitlabhq/dependency_proxy/containers/ruby/blobs/sha256:asdf1234%2f%2e%2e"))
+          .not_to route_to(group_id: 'gitlabhq', image: 'ruby', sha: 'sha256:asdf1234%2f%2e%2e')
+      end
+
+      it "does not route to #blob with an invalid image" do
+        expect(get("/v2/gitlabhq/dependency_proxy/containers/ru*by/blobs/abc12345"))
+          .not_to route_to('groups/dependency_proxy_for_containers#blob', group_id: 'gitlabhq', image: 'ru*by', sha: 'abc12345')
+      end
    end

    context 'image name with namespace' do