Prevent parameter injections and path traversals via CreateObjectPool RPC. (!1913) · Merge requests · GitLab.org / gitaly

Sami Hiltunen requested to merge 2303-parameter-injection into master Mar 12, 2020

As suggested by @pokstad1, passes object pool clone origin and target repository as post separator arguments. This fixes a vulnerability where the caller could inject parameters to the command line via the target repository's relative path.

validates that object pool and origin repository relative paths to follow the expected format. This also blocks path traversals and parameter injections in the relative paths.

Closes #2303

Edited Oct 29, 2021 by 🤖 GitLab Bot 🤖

Prevent parameter injections and path traversals via CreateObjectPool RPC.

Merge request reports