Skip to content

Delete symlinks after extracting files

Rodrigo Tomonari requested to merge rodrigo/delete-symlinks-after-extracting-files into master

What does this MR do and why?

Updates the methods untar_zxf and untar_xf to delete symlinks after extracting the files to make the methods secure by default in terms of symlinks attacks

Related to: Automatically perform validations / symlink cle... (#384591 - closed)

Screenshots or screen recordings

GitLab Direct Transfer

symlink

How to set up and validate locally

The untar_zxf method is used to decompress the project export archive. To test if the symlinks are being deleted before importing the files, export a project via UI in Project -> Settings -> Advanced -> Export Project.

Download the project export file, extract the file, and replace the files with a symlink. For example, project archives have a VERSION file, replace the VERSION file with a symlink, compress the files back to a tar.gz, and import the archive via New Project -> Import Project -> Gitlab Export. The export should fail as the VERSION file shouldn't be found.

The untar_xf is used by GitLab Direct Transfer to extract relation files. Because GitLab Direct Transfer automatically downloads files from the source instance, to test, we need to modify the response sent by the source instance, and one of the options is to use a proxy.

Below is a Node proxy that can be used

proxy.js.zip

To use the proxy.js, extract it, create a uploads.tar.gz, and start the proxy with node proxy.js

The content of the uploads.tar.gz should be something like this:

.
├── cecf99ba2b4401b0ebaf3ac6d361cdc6
│   └── security.txt -> /Users/rodrigotomonari/Sites/g/gitlab/security.txt
└── e79c56d85abc19ad52fd33be4550743d
    └── cat.jpg

Then when using GitLab Direct Transfer, provide the source URL of the proxy, for example: http://gdk.test:3002

After importing the group/project, the URL

http://gdk.test:3000/NAMESPACE_PATH/-/uploads/cecf99ba2b4401b0ebaf3ac6d361cdc6/security.txt should return 404

http://gdk.test:3000/NAMESPACE_PATH/-/uploads/e79c56d85abc19ad52fd33be4550743d/cat.jpg should return 200

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Rodrigo Tomonari

Merge request reports