Use the array syntax for shelling out
What does this MR do and why?
Adds defense in depth to a previous fix. If validations are bypassed now the worst possible impact would be argument injection rather than a full command injection.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
- Run
Feature.enable(:bulk_import_projects)
in your rails console - Follow this documentation to use bulk import
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Merge request reports
Activity
assigned to @dcouture
Suggested Reviewers (beta)
The individuals below may be good candidates to participate in the review based on various factors.
You can use slash commands in comments to quickly assign
/assign_reviewer @user1
.Suggested Reviewers @dbalexandre
,@yorickpeterse
,@mkaeppler
,@kassio
,@georgekoltsov
If you do not believe these suggestions are useful, please apply the label Bad Suggested Reviewer. You can also provide feedback for this feature on this issue:
https://gitlab.com/gitlab-org/gitlab/-/issues/357923
.Automatically generated by Suggested Reviewers Bot - an experimental ML-based recommendation engine created by ~"group::applied ml".
Edited by GitLab Reviewer-Recommender BotReviewer roulette
Changes that require review have been detected!
Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:
Category Reviewer Maintainer backend Gregory Havenga ( @ghavenga
) (UTC+2, 6 hours ahead of@dcouture
)Vasilii Iakliushin ( @vyaklushin
) (UTC+2, 6 hours ahead of@dcouture
)To spread load more evenly across eligible reviewers, Danger has picked a candidate for each review slot, based on their timezone. Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.
If needed, you can retry the
danger-review
job that generated this comment.Generated by
Danger- Resolved by 🤖 GitLab Bot 🤖
@dcouture - please add typebug typefeature, typemaintenance or a subtype label to this merge request.- typebug: Defects in shipped code and fixes for those defects. This includes all the bug types (availability, performance, security vulnerability, mobile, etc.)
- typefeature: Effort to deliver new features, feature changes & improvements. This includes all changes as part of new product requirements like application limits.
- typemaintenance: Up-keeping efforts & catch-up corrective improvements that are not Features nor Bugs. This includes restructuring for long-term maintainability, stability, reducing technical debt, improving the contributor experience, or upgrading dependencies.
See the handbook for more guidance on classifying.
This message was created with automation and Engineering Productivity is looking for feedback in this issue:
https://gitlab.com/gitlab-org/quality/engineering-productivity/team/-/issues/43
removed frontend label
changed milestone to %15.3
added maintenancerefactor security labels
added typemaintenance label
- Resolved by Vasilii Iakliushin
@nmalcolm as stable counterpart for ~"group::import" I'm curious if you've ever tried the bulk import? I'm trying locally but hitting this error when I try to import my GitLab.com groups from my local instance.
{"error":{"message":"Unable to connect to server: Unsuccessful response 500 from /api/v4/groups. Body: {\"message\"=\u003e\"500 Internal Server Error\"}","redirect":"/groups/new"}}
Also while you're here, if you have time for a security review I would like another set of eyes to make sure I didn't do any major mistake that opens up the door for command injection (which is the opposite of the intent!).
Feel free to ping appsec if you're not available.
Allure report
allure-report-publisher
generated test report!review-qa-blocking:
test report for 4124515fexpand test summary
+-----------------------------------------------------------------------------------------+ | suites summary | +------------------------------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +------------------------------------+--------+--------+---------+-------+-------+--------+ | Plan | 47 | 0 | 1 | 45 | 48 | ❗ | | Manage | 38 | 0 | 2 | 34 | 40 | ❗ | | Create | 24 | 0 | 1 | 18 | 25 | ❗ | | Verify | 14 | 0 | 1 | 12 | 15 | ❗ | | Secure | 2 | 0 | 0 | 2 | 2 | ❗ | | Version sanity check | 0 | 0 | 1 | 0 | 1 | ➖ | | Configure | 0 | 0 | 1 | 0 | 1 | ➖ | | Protect | 2 | 0 | 0 | 2 | 2 | ❗ | | Feature flag handler sanity checks | 9 | 0 | 0 | 0 | 9 | ✅ | +------------------------------------+--------+--------+---------+-------+-------+--------+ | Total | 136 | 0 | 7 | 113 | 143 | ❗ | +------------------------------------+--------+--------+---------+-------+-------+--------+
@nmalcolm
, thanks for approving this merge request.This is the first time the merge request is approved. To ensure full test coverage, a new pipeline has been started.
For more info, please refer to the following links:
- Resolved by Vasilii Iakliushin
Thanks @dcouture LGTM
@vyaklushin may I ask you to do maintainer review of this change?
requested review from @vyaklushin
added 1098 commits
-
ca085f00...1a625396 - 1097 commits from branch
master
- 4124515f - Use the array syntax for shelling out
-
ca085f00...1a625396 - 1097 commits from branch
marked the checklist item I have evaluated the MR acceptance checklist for this MR. as completed
enabled an automatic merge when the pipeline for 6dae89f6 succeeds
mentioned in commit f3c3a682
added workflowstaging-canary label
added workflowcanary label and removed workflowstaging-canary label
added workflowstaging label and removed workflowcanary label
added workflowproduction label and removed workflowstaging label
added workflowpost-deploy-db-staging label and removed workflowproduction label
added workflowpost-deploy-db-production label and removed workflowpost-deploy-db-staging label
added releasedcandidate label
added releasedpublished label and removed releasedcandidate label
For reference - https://docs.gitlab.com/ee/development/shell_commands.html#bypass-the-shell-by-splitting-commands-into-separate-tokens covers this guideline
Also https://starlabs.sg/blog/2022/07-gitlab-project-import-rce-analysis-cve-2022-2185/ details how it could be vulnerable for this exact line.