Feature #17164

file:/// repository insecure

Added by John Pham over 3 years ago. Updated about 3 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:SCM
Target version:-
Resolution:Duplicate

Description

Could there be a way to restrict file:/// URLs in repositories? If, SVN projects are accessible by the webserver (likely if using dav_svn) anyone with permissions to add a repository has unrestricted access to any repository on the webserver viewable by the server process, almost equivalent to filesystem access.


Related issues

Related to Redmine - Feature #1415: Let system administrator limit repositories valid sources Closed 2008-06-09

History

#1 Updated by Go MAEDA over 3 years ago

Save the following code as 'config/initializers/99-restrect-svn-file-scheme.rb' and restart Redmine. You will be not able to set 'file:///.....'.

require_dependency 'repository/subversion.rb'

module RestrictSvnFileScheme

  def self.included(base)
    base.send(:include, WrapperMethods)

    base.class_eval do
      alias_method_chain :url=, :restrict_file_scheme
    end
  end

  module WrapperMethods
    def url_with_restrict_file_scheme=(v)
      write_attribute(:url, v) if v !~ %r|\Afile://|i
    end
  end
end

Repository::Subversion.send(:include, RestrictSvnFileScheme)

#2 Updated by John Pham over 3 years ago

I got the following error on 2.4.2 (ubuntu 14.04 package):

uninitialized constant Redmine::Scm::Adapters::AbstractAdapter::CommandFailed (NameError)
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:30:in `<class:AbstractAdapter>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:27:in `<module:Adapters>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:26:in `<module:Scm>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:25:in `<module:Redmine>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:24:in `<top (required)>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/subversion_adapter.rb:18:in `<top (required)>'
  /var/lib/redmine/default/passenger/app/models/repository/subversion.rb:18:in `<top (required)>'
  /var/lib/redmine/default/passenger/config/initializers/99-restrict-svn-file-schema.rb:1:in `<top (required)>'
  /usr/lib/ruby/vendor_ruby/rails/engine.rb:593:in `block (2 levels) in <class:Engine>'
  /usr/lib/ruby/vendor_ruby/rails/engine.rb:592:in `each'
  /usr/lib/ruby/vendor_ruby/rails/engine.rb:592:in `block in <class:Engine>'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:30:in `instance_exec'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:30:in `run'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:55:in `block in run_initializers'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:54:in `each'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:54:in `run_initializers'
  /usr/lib/ruby/vendor_ruby/rails/application.rb:136:in `initialize!'
  /usr/lib/ruby/vendor_ruby/rails/railtie/configurable.rb:30:in `method_missing'
  /var/lib/redmine/default/passenger/config/environment.rb:14:in `<top (required)>'
  config.ru:3:in `require'
  config.ru:3:in `block in <main>'
  /usr/lib/ruby/vendor_ruby/rack/builder.rb:51:in `instance_eval'
  /usr/lib/ruby/vendor_ruby/rack/builder.rb:51:in `initialize'
  config.ru:1:in `new'
  config.ru:1:in `<main>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `eval'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `preload_app'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:158:in `<module:App>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:29:in `<module:PhusionPassenger>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:28:in `<main>'
but adding
class CommandFailed < StandardError #:nodoc:
end

seems to fix it. Thanks!

#3 Updated by Go MAEDA about 3 years ago

  • Related to Defect #18291: Path property security issue when adding filesystem repository added

#4 Updated by Jean-Philippe Lang about 3 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

Closing as a dup of #1415 which is addressed for 3.0 by adding configuration settings to limit valid repository path.

#5 Updated by Jean-Philippe Lang about 3 years ago

  • Related to deleted (Defect #18291: Path property security issue when adding filesystem repository)

#6 Updated by Jean-Philippe Lang about 3 years ago

  • Related to Feature #1415: Let system administrator limit repositories valid sources added

Also available in: Atom PDF