Don't leak information about private project existence via Git-over-SSH/HTTP.

dd37a10d · Douwe Maan · 039fd3c5 · dd37a10d · dd37a10d
隐藏空白更改
内联并排

Showing with 50 addition and 41 deletion

lib/api/internal.rb lib/api/internal.rb +22 -17

lib/gitlab/backend/grack_auth.rb lib/gitlab/backend/grack_auth.rb +28 -24

未找到文件。
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -16,6 +16,17 @@ module API
      #
      post "/allowed" do
        status 200
+        actor = if params[:key_id]
+                  Key.find_by(id: params[:key_id])
+                elsif params[:user_id]
+                  User.find_by(id: params[:user_id])
+                end
+        unless actor
+          return Gitlab::GitAccessStatus.new(false, 'No such user or key')
+        end
        project_path = params[:project]
        # Check for *.wiki repositories.
@@ -32,26 +43,20 @@ module API
        project = Project.find_with_namespace(project_path)
-        unless project
+        if project
-          return Gitlab::GitAccessStatus.new(false, 'No such project')
+          status = access.check(
+            actor,
+            params[:action],
+            project,
+            params[:changes]
+          )
        end
-        actor = if params[:key_id]
+        if project && status && status.allowed?
-                  Key.find_by(id: params[:key_id])
+          status
-                elsif params[:user_id]
+        else
-                  User.find_by(id: params[:user_id])
+          Gitlab::GitAccessStatus.new(false, 'No such project')
-                end
-        unless actor
-          return Gitlab::GitAccessStatus.new(false, 'No such user or key')
        end
-        access.check(
-          actor,
-          params[:action],
-          project,
-          params[:changes]
-        )
      end
      #

--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -10,8 +10,9 @@ module Grack
      @request = Rack::Request.new(env)
      @auth = Request.new(env)
-      # Need this patch due to the rails mount
+      @gitlab_ci = false
+      # Need this patch due to the rails mount
      # Need this if under RELATIVE_URL_ROOT
      unless Gitlab.config.gitlab.relative_url_root.empty?
        # If website is mounted using relative_url_root need to remove it first
@@ -22,8 +23,12 @@ module Grack
      @env['SCRIPT_NAME'] = ""
-      if project
+      auth!
-        auth!
+      if project && authorized_request?
+        @app.call(env)
+      elsif @user.nil? && !@gitlab_ci
+        unauthorized
      else
        render_not_found
      end
@@ -32,35 +37,30 @@ module Grack
    private
    def auth!
-      if @auth.provided?
+      return unless @auth.provided?
-        return bad_request unless @auth.basic?
-        # Authentication with username and password
-        login, password = @auth.credentials
-        # Allow authentication for GitLab CI service
+      return bad_request unless @auth.basic?
-        # if valid token passed
-        if gitlab_ci_request?(login, password)
-          return @app.call(env)
-        end
-        @user = authenticate_user(login, password)
+      # Authentication with username and password
+      login, password = @auth.credentials
-        if @user
+      # Allow authentication for GitLab CI service
-          Gitlab::ShellEnv.set_env(@user)
+      # if valid token passed
-          @env['REMOTE_USER'] = @auth.username
+      if gitlab_ci_request?(login, password)
-        end
+        @gitlab_ci = true
+        return
      end
-      if authorized_request?
+      @user = authenticate_user(login, password)
-        @app.call(env)
-      else
+      if @user
-        unauthorized
+        Gitlab::ShellEnv.set_env(@user)
+        @env['REMOTE_USER'] = @auth.username
      end
    end
    def gitlab_ci_request?(login, password)
-      if login == "gitlab-ci-token" && project.gitlab_ci?
+      if login == "gitlab-ci-token" && project && project.gitlab_ci?
        token = project.gitlab_ci_service.token
        if token.present? && token == password && git_cmd == 'git-upload-pack'
@@ -107,6 +107,8 @@ module Grack
    end
    def authorized_request?
+      return true if @gitlab_ci
      case git_cmd
      when *Gitlab::GitAccess::DOWNLOAD_COMMANDS
        if user
@@ -141,7 +143,9 @@ module Grack
    end
    def project
-      @project ||= project_by_path(@request.path_info)
+      return @project if defined?(@project)
+      @project = project_by_path(@request.path_info)
    end
    def project_by_path(path)