Class: Gitlab::Middleware::PathTraversalCheck

Inherits:

Object

Object
Gitlab::Middleware::PathTraversalCheck

show all

Defined in:: lib/gitlab/middleware/path_traversal_check.rb

Constant Summary collapse

PATH_TRAVERSAL_MESSAGE =

'Potential path traversal attempt detected. Feedback issue: https://gitlab.com/gitlab-org/gitlab/-/issues/520714.'

EXCLUDED_QUERY_PARAM_NAMES = Query param names known to have string parts detected as path traversal even though they are valid genuine requests

%w[
  search
  search_title
  search_query
  term
  name
  filter
  filter_projects
  note
  body
  commit_message
  content
  description
].freeze

NESTED_PARAMETERS_MAX_LEVEL =

REJECT_RESPONSE =

[
  Rack::Utils::SYMBOL_TO_STATUS_CODE[:bad_request],
  { 'Content-Type' => 'text/plain' },
  [PATH_TRAVERSAL_MESSAGE]
].freeze

Instance Method Summary collapse

#call(env) ⇒ Object
#initialize(app) ⇒ PathTraversalCheck constructor

A new instance of PathTraversalCheck.

Constructor Details

#initialize(app) ⇒ `PathTraversalCheck`

Returns a new instance of PathTraversalCheck.



30
31
32

# File 'lib/gitlab/middleware/path_traversal_check.rb', line 30

def initialize(app)
  @app = app
end

Instance Method Details

#call(env) ⇒ `Object`

# File 'lib/gitlab/middleware/path_traversal_check.rb', line 34

def call(env)
  return @app.call(env) unless Feature.enabled?(:check_path_traversal_middleware, Feature.current_request)

  request = ::ActionDispatch::Request.new(env.dup)
  log_params = {}

  return @app.call(env) unless path_traversal_attempt?(request, log_params)

  log_params[:request_rejected] = true

  # TODO Remove this when https://gitlab.com/gitlab-org/ruby/gems/labkit-ruby/-/issues/41 is implemented
  log_params[:remote_ip] = request.remote_ip

  log(log_params)

  REJECT_RESPONSE
end