Merge branch 'sh-fix-wiki-security-issue-53072' into 'master'

[master] Validate Wiki attachments are valid temporary files See merge request gitlab/gitlabhq!2568
2018-10-29 16:08:08 +00:00 · 2018-10-29 16:08:08 +00:00 · d3cd569bc6
parent 58646c65d5 a12d25d8a5
commit d3cd569bc6
4 changed files with 32 additions and 2 deletions
--- a/changelogs/unreleased/sh-fix-wiki-security-issue-53072.yml
+++ b/changelogs/unreleased/sh-fix-wiki-security-issue-53072.yml
@ -0,0 +1,5 @@
+---
+title: Validate Wiki attachments are valid temporary files
+merge_request:
+author:
+type: security
--- a/lib/api/validations/types/safe_file.rb
+++ b/lib/api/validations/types/safe_file.rb
@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+# This module overrides the Grape type validator defined in
+# https://github.com/ruby-grape/grape/blob/master/lib/grape/validations/types/file.rb
+module API
+  module Validations
+    module Types
+      class SafeFile < ::Grape::Validations::Types::File
+        def value_coerced?(value)
+          super && value[:tempfile].is_a?(Tempfile)
+        end
+      end
+    end
+  end
+end
--- a/lib/api/wikis.rb
+++ b/lib/api/wikis.rb
@ -6,7 +6,7 @@ module API
      def commit_params(attrs)
        {
          file_name: attrs[:file][:filename],
-          file_content: File.read(attrs[:file][:tempfile]),
+          file_content: attrs[:file][:tempfile].read,
          branch_name: attrs[:branch]
        }
      end
@ -100,7 +100,7 @@ module API
        success Entities::WikiAttachment
      end
      params do
-        requires :file, type: File, desc: 'The attachment file to be uploaded'
+        requires :file, type: ::API::Validations::Types::SafeFile, desc: 'The attachment file to be uploaded'
        optional :branch, type: String, desc: 'The name of the branch'
      end
      post ":id/wikis/attachments", requirements: API::PROJECT_ENDPOINT_REQUIREMENTS do
--- a/spec/requests/api/wikis_spec.rb
+++ b/spec/requests/api/wikis_spec.rb
@ -158,6 +158,16 @@ describe API::Wikis do
      expect(json_response.size).to eq(1)
      expect(json_response['error']).to eq('file is missing')
    end
+
+    it 'responds with validation error on invalid temp file' do
+      payload[:file] = { tempfile: '/etc/hosts' }
+
+      post(api(url, user), payload)
+
+      expect(response).to have_gitlab_http_status(400)
+      expect(json_response.size).to eq(1)
+      expect(json_response['error']).to eq('file is invalid')
+    end
  end

  describe 'GET /projects/:id/wikis' do