Commit 1493ede6 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-2767-verify-lfs-finalize-from-workhorse-11-5' into 'security-11-5'

[11.5] Verify that LFS upload requests are genuine

See merge request gitlab/gitlabhq!2864

(cherry picked from commit 5c3d4d012e734b12140ecc527ade0f5ae8a26049)

dd634b25 Verify that LFS upload requests are genuine
parent d8916379
......@@ -5,7 +5,7 @@ class Projects::LfsStorageController < Projects::GitHttpClientController
include WorkhorseRequest
include SendFileUpload
skip_before_action :verify_workhorse_api!, only: [:download, :upload_finalize]
skip_before_action :verify_workhorse_api!, only: :download
def download
lfs_object = LfsObject.find_by_oid(oid)
......
---
title: Verify that LFS upload requests are genuine
merge_request:
author:
type: security
......@@ -1086,6 +1086,12 @@ describe 'Git LFS API and storage' do
end
end
context 'and request to finalize the upload is not sent by gitlab-workhorse' do
it 'fails with a JWT decode error' do
expect { put_finalize(lfs_tmp_file, verified: false) }.to raise_error(JWT::DecodeError)
end
end
context 'and workhorse requests upload finalize for a new lfs object' do
before do
lfs_object.destroy
......@@ -1347,8 +1353,12 @@ describe 'Git LFS API and storage' do
context 'when pushing the same lfs object to the second project' do
before do
put "#{second_project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", nil,
headers.merge('X-Gitlab-Lfs-Tmp' => lfs_tmp_file).compact
finalize_headers = headers
.merge('X-Gitlab-Lfs-Tmp' => lfs_tmp_file)
.merge(workhorse_internal_api_request_header)
put "#{second_project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}",
nil, finalize_headers
end
it 'responds with status 200' do
......@@ -1369,7 +1379,7 @@ describe 'Git LFS API and storage' do
put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}/authorize", nil, authorize_headers
end
def put_finalize(lfs_tmp = lfs_tmp_file, with_tempfile: false, args: {})
def put_finalize(lfs_tmp = lfs_tmp_file, with_tempfile: false, verified: true, args: {})
upload_path = LfsObjectUploader.workhorse_local_upload_path
file_path = upload_path + '/' + lfs_tmp if lfs_tmp
......@@ -1383,11 +1393,14 @@ describe 'Git LFS API and storage' do
'file.name' => File.basename(file_path)
}
put_finalize_with_args(args.merge(extra_args).compact)
put_finalize_with_args(args.merge(extra_args).compact, verified: verified)
end
def put_finalize_with_args(args)
put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", args, headers
def put_finalize_with_args(args, verified:)
finalize_headers = headers
finalize_headers.merge!(workhorse_internal_api_request_header) if verified
put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", args, finalize_headers
end
def lfs_tmp_file
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment