Skip to content

Geo route whitelisting is too optimistic

The following discussion from !2758 (merged) should be addressed:

  • @nick.thomas started a discussion:

    Hmm. This is a more general problem than just this route, so let's resolve it in a separate issue, but consider this form:

    https://gitlab.com/nick.thomas/gitlab-ce/new/master/app

    It will POST to a URL ending in a completely user-controlled string. If they have /info/lfs/objects/batch as a directory hierarchy, then attempting to create a new file there will be whitelisted here.

    Since we're only touching the filesystem, I wonder if this will actually succeed and cause the secondary to go out of sync with the primary?

All these ends_with? and includes? checks in lib/gitlab/middleware/readonly_geo.rb have this problem.

/cc @dbalexandre @stanhu