Commit f98ce6b4 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-fix-path-traversal-in-nuget-package-repository' into 'master'

Security fix path traversal in nuget package repository

Closes #113

See merge request gitlab-org/security/gitlab!428
parents 797f6e8c 0831beea
...@@ -30,7 +30,7 @@ class Packages::Package < ApplicationRecord ...@@ -30,7 +30,7 @@ class Packages::Package < ApplicationRecord
validate :valid_conan_package_recipe, if: :conan? validate :valid_conan_package_recipe, if: :conan?
validate :valid_npm_package_name, if: :npm? validate :valid_npm_package_name, if: :npm?
validate :package_already_taken, if: :npm? validate :package_already_taken, if: :npm?
validates :version, format: { with: Gitlab::Regex.semver_regex }, if: :npm? validates :version, format: { with: Gitlab::Regex.semver_regex }, if: -> { npm? || nuget? }
validates :name, format: { with: Gitlab::Regex.conan_recipe_component_regex }, if: :conan? validates :name, format: { with: Gitlab::Regex.conan_recipe_component_regex }, if: :conan?
validates :version, format: { with: Gitlab::Regex.conan_recipe_component_regex }, if: :conan? validates :version, format: { with: Gitlab::Regex.conan_recipe_component_regex }, if: :conan?
......
---
title: Ensure that NuGet package versions are SemVer compliant
merge_request:
author:
type: security
...@@ -95,8 +95,9 @@ RSpec.describe Packages::Package, type: :model do ...@@ -95,8 +95,9 @@ RSpec.describe Packages::Package, type: :model do
end end
describe '#version' do describe '#version' do
context 'npm package' do RSpec.shared_examples 'validating version to be SemVer compliant for' do |factory_name|
subject { create(:npm_package) } context "for #{factory_name}" do
subject { create(factory_name) }
it { is_expected.to allow_value('1.2.3').for(:version) } it { is_expected.to allow_value('1.2.3').for(:version) }
it { is_expected.to allow_value('1.2.3-beta').for(:version) } it { is_expected.to allow_value('1.2.3-beta').for(:version) }
...@@ -107,6 +108,7 @@ RSpec.describe Packages::Package, type: :model do ...@@ -107,6 +108,7 @@ RSpec.describe Packages::Package, type: :model do
it { is_expected.not_to allow_value('../../../../../1.2.3').for(:version) } it { is_expected.not_to allow_value('../../../../../1.2.3').for(:version) }
it { is_expected.not_to allow_value('%2e%2e%2f1.2.3').for(:version) } it { is_expected.not_to allow_value('%2e%2e%2f1.2.3').for(:version) }
end end
end
context 'conan package' do context 'conan package' do
subject { create(:conan_package) } subject { create(:conan_package) }
...@@ -123,6 +125,9 @@ RSpec.describe Packages::Package, type: :model do ...@@ -123,6 +125,9 @@ RSpec.describe Packages::Package, type: :model do
it { is_expected.not_to allow_value('+1.2.3').for(:version) } it { is_expected.not_to allow_value('+1.2.3').for(:version) }
it { is_expected.not_to allow_value('%2e%2e%2f1.2.3').for(:version) } it { is_expected.not_to allow_value('%2e%2e%2f1.2.3').for(:version) }
end end
it_behaves_like 'validating version to be SemVer compliant for', :npm_package
it_behaves_like 'validating version to be SemVer compliant for', :nuget_package
end end
describe '#package_already_taken' do describe '#package_already_taken' do
...@@ -218,10 +223,12 @@ RSpec.describe Packages::Package, type: :model do ...@@ -218,10 +223,12 @@ RSpec.describe Packages::Package, type: :model do
end end
describe '.has_version' do describe '.has_version' do
let!(:package4) { create(:nuget_package, version: nil) }
subject { described_class.has_version } subject { described_class.has_version }
before do
create(:maven_metadatum).package.update!(version: nil)
end
it 'includes only packages with version attribute' do it 'includes only packages with version attribute' do
is_expected.to match_array([package1, package2, package3]) is_expected.to match_array([package1, package2, package3])
end end
......
...@@ -66,5 +66,23 @@ describe Packages::Nuget::UpdatePackageFromMetadataService do ...@@ -66,5 +66,23 @@ describe Packages::Nuget::UpdatePackageFromMetadataService do
expect { subject }.to raise_error(::Packages::Nuget::UpdatePackageFromMetadataService::InvalidMetadataError) expect { subject }.to raise_error(::Packages::Nuget::UpdatePackageFromMetadataService::InvalidMetadataError)
end end
end end
context 'with an invalid package version' do
invalid_versions = [
'1',
'1.2',
'1./2.3',
'../../../../../1.2.3',
'%2e%2e%2f1.2.3'
]
invalid_versions.each do |invalid_version|
it "raises an error for version #{invalid_version}" do
allow(service).to receive(:package_version).and_return(invalid_version)
expect { subject }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: Version is invalid')
end
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment