Fix path traversal using job name in TaskLogger (!3930) · Merge requests · GitLab.org / GitLab Development Kit

Kev Kloss requested to merge kkloss-task-logger-path-traversal into main Aug 15, 2024

What does this merge request do and why?

This MR fixes a that the TaskLogger doesn’t escape job names when generating the log file path.

This isn’t a problem yet but will likely cause one with !3726.

How to set up and validate locally

It’s hard to test right now. You could do this:

At the bottom of Rakefile, create a task:

spinner_task 'test/task' do
  puts "woof"
end

Run bundle exec rake 'test/task'

See the following error:

rake aborted!
test/task failed!
See /Users/kev/development/gitlab/gdk/log/gdk/rake-2024-08-15_16-01-13_697/test-task.log for the task output.

On main the error would be:

rake aborted!
Errno::ENOENT: No such file or directory @ rb_sysopen - /Users/kev/development/gitlab/gdk/log/gdk/rake-2024-08-15_16-01-19_588/test/task.log (Errno::ENOENT)

Impacted categories

The following categories relate to this merge request:

gdk-reliability - e.g. When a GDK action fails to complete.
gdk-usability - e.g. Improvements or suggestions around how the GDK functions.
gdk-performance - e.g. When a GDK action is slow or times out.

Merge request checklist

This change is backward compatible. If not, please include steps to communicate to our users.
Tests added for new functionality. If not, please raise an issue to follow-up.
Documentation added/updated, if needed.
Announcement added, if change is notable.
gdk doctor test added, if needed.
Add the ~highlight label if this MR should be included in the CHANGELOG.md.

Edited Aug 16, 2024 by Kev Kloss

Fix path traversal using job name in TaskLogger

What does this merge request do and why?

How to set up and validate locally

Impacted categories

Merge request checklist

Merge request reports