Commit b3c2e64a authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-dependency-proxy-path-traversal' into 'master'

Add constraint to dependency proxy route

See merge request gitlab-org/security/gitlab!77
parents bb3469c8 b16946b8
---
title: Add constraint to group dependency proxy endpoint param
merge_request:
author:
type: security
...@@ -151,7 +151,7 @@ end ...@@ -151,7 +151,7 @@ end
scope format: false do scope format: false do
get 'v2', to: proc { [200, {}, ['']] } get 'v2', to: proc { [200, {}, ['']] }
constraints image: Gitlab::PathRegex.container_image_regex do constraints image: Gitlab::PathRegex.container_image_regex, sha: Gitlab::PathRegex.container_image_blob_sha_regex do
get 'v2/*group_id/dependency_proxy/containers/*image/manifests/*tag' => 'groups/dependency_proxy_for_containers#manifest' get 'v2/*group_id/dependency_proxy/containers/*image/manifests/*tag' => 'groups/dependency_proxy_for_containers#manifest'
get 'v2/*group_id/dependency_proxy/containers/*image/blobs/:sha' => 'groups/dependency_proxy_for_containers#blob' get 'v2/*group_id/dependency_proxy/containers/*image/blobs/:sha' => 'groups/dependency_proxy_for_containers#blob'
end end
......
...@@ -13,6 +13,10 @@ module EE ...@@ -13,6 +13,10 @@ module EE
def container_image_regex def container_image_regex
@container_image_regex ||= %r{([\w\.-]+\/){0,1}[\w\.-]+}.freeze @container_image_regex ||= %r{([\w\.-]+\/){0,1}[\w\.-]+}.freeze
end end
def container_image_blob_sha_regex
@container_image_blob_sha_regex ||= %r{[\w+.-]+:?[\w]+}.freeze
end
end end
end end
end end
......
...@@ -19,4 +19,17 @@ describe Gitlab::PathRegex do ...@@ -19,4 +19,17 @@ describe Gitlab::PathRegex do
expect(subject.match('ruby:2.3.6')[0]).to eq('ruby') expect(subject.match('ruby:2.3.6')[0]).to eq('ruby')
end end
end end
describe '.container_image_blob_sha_regex' do
subject { described_class.container_image_blob_sha_regex }
it { is_expected.to match('sha256:asdf1234567890ASDF') }
it { is_expected.to match('foo:123') }
it { is_expected.to match('a12bc3f590szp') }
it { is_expected.not_to match('') }
it 'does not match malicious characters' do
expect(subject.match('sha256:asdf1234%2f')[0]).to eq('sha256:asdf1234')
end
end
end end
...@@ -60,6 +60,16 @@ describe 'Group routing', "routing" do ...@@ -60,6 +60,16 @@ describe 'Group routing', "routing" do
expect(get('/v2/gitlabhq/dependency_proxy/containers/ruby/blobs/abc12345')) expect(get('/v2/gitlabhq/dependency_proxy/containers/ruby/blobs/abc12345'))
.to route_to('groups/dependency_proxy_for_containers#blob', group_id: 'gitlabhq', image: 'ruby', sha: 'abc12345') .to route_to('groups/dependency_proxy_for_containers#blob', group_id: 'gitlabhq', image: 'ruby', sha: 'abc12345')
end end
it "does not route to #blob with an invalid sha" do
expect(get("/v2/gitlabhq/dependency_proxy/containers/ruby/blobs/sha256:asdf1234%2f%2e%2e"))
.not_to route_to(group_id: 'gitlabhq', image: 'ruby', sha: 'sha256:asdf1234%2f%2e%2e')
end
it "does not route to #blob with an invalid image" do
expect(get("/v2/gitlabhq/dependency_proxy/containers/ru*by/blobs/abc12345"))
.not_to route_to('groups/dependency_proxy_for_containers#blob', group_id: 'gitlabhq', image: 'ru*by', sha: 'abc12345')
end
end end
context 'image name with namespace' do context 'image name with namespace' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment