From 0d8fba4eece4fa527dd764472c0e05e1f05f8bc4 Mon Sep 17 00:00:00 2001
From: DJ Mountney <dj@gitlab.com>
Date: Wed, 5 Apr 2017 21:55:19 +0000
Subject: [PATCH] Merge branch 'path-disclosure-proj-import-export' into
 'security'

Fix for path disclosure in project import/export

See merge request !2080
---
 app/helpers/projects_helper.rb                            | 5 ++++-
 .../unreleased/file-import-export-path-disclosure.yml     | 5 +++++
 spec/helpers/projects_helper_spec.rb                      | 8 ++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/file-import-export-path-disclosure.yml

diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index bd0c2cd661e..6b9e4267281 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -407,7 +407,10 @@ module ProjectsHelper
   def sanitize_repo_path(project, message)
     return '' unless message.present?
 
-    message.strip.gsub(project.repository_storage_path.chomp('/'), "[REPOS PATH]")
+    exports_path = File.join(Settings.shared['path'], 'tmp/project_exports')
+    filtered_message = message.strip.gsub(exports_path, "[REPO EXPORT PATH]")
+
+    filtered_message.gsub(project.repository_storage_path.chomp('/'), "[REPOS PATH]")
   end
 
   def project_feature_options
diff --git a/changelogs/unreleased/file-import-export-path-disclosure.yml b/changelogs/unreleased/file-import-export-path-disclosure.yml
new file mode 100644
index 00000000000..1a297d07187
--- /dev/null
+++ b/changelogs/unreleased/file-import-export-path-disclosure.yml
@@ -0,0 +1,5 @@
+---
+title: Fix path disclosure in project import/export
+merge_request: 
+author:
+
diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb
index fc6ad6419ac..44312ada438 100644
--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -167,6 +167,7 @@ describe ProjectsHelper do
 
     before do
       allow(project).to receive(:repository_storage_path).and_return('/base/repo/path')
+      allow(Settings.shared).to receive(:[]).with('path').and_return('/base/repo/export/path')
     end
 
     it 'removes the repo path' do
@@ -175,6 +176,13 @@ describe ProjectsHelper do
 
       expect(sanitize_repo_path(project, import_error)).to eq('Could not clone [REPOS PATH]/namespace/test.git')
     end
+
+    it 'removes the temporary repo path used for uploads/exports' do
+      repo = '/base/repo/export/path/tmp/project_exports/uploads/test.tar.gz'
+      import_error = "Unable to decompress #{repo}\n"
+
+      expect(sanitize_repo_path(project, import_error)).to eq('Unable to decompress [REPO EXPORT PATH]/uploads/test.tar.gz')
+    end
   end
 
   describe '#last_push_event' do