Skip to content

Commit 8172238

Browse files
Ashvin SharmaGitLab
Ashvin Sharma
authored and
GitLab
committed
Merge branch 'patch-security' into 'main'
Prevent CACHE_FALLBACK_KEY from bypassing protection on Windows See merge request https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/6440 Merged-by: Ashvin Sharma <ashsharma@gitlab.com> Approved-by: Vishal Tak <vtak@gitlab.com>
2 parents 34c44db + 07c04c3 commit 8172238

2 files changed

Lines changed: 24 additions & 12 deletions

File tree

shells/abstract.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -289,7 +289,8 @@ func (b *AbstractShell) extractCacheOrFallbackCachesWrapper(
289289
// the fallback key from CACHE_FALLBACK_KEY
290290
blockProtectedFallback := func(key string) bool {
291291
const blockedSuffix = "-protected"
292-
allowed := !strings.HasSuffix(key, blockedSuffix)
292+
trimmedKey := strings.TrimRight(key, ". ")
293+
allowed := !strings.HasSuffix(trimmedKey, blockedSuffix)
293294
if !allowed {
294295
w.Warningf("CACHE_FALLBACK_KEY %q not allowed to end in %q", key, blockedSuffix)
295296
}

shells/abstract_test.go

Lines changed: 22 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1554,10 +1554,9 @@ func TestAbstractShell_extractCacheWithDefaultFallbackKey(t *testing.T) {
15541554
const cacheEnvFile = "/some/path/to/runner-cache-env"
15551555

15561556
type expectations struct {
1557-
cacheKeys []string
1558-
usesEnvFile []bool
1559-
warning []any
1560-
notices [][]any
1557+
cacheKeys []string
1558+
warning []any
1559+
notices [][]any
15611560
}
15621561
type hashMode uint8
15631562
const (
@@ -1631,8 +1630,7 @@ func TestAbstractShell_extractCacheWithDefaultFallbackKey(t *testing.T) {
16311630
notices: [][]any{{`Skipping cache extraction due to %v`, fmt.Errorf("empty cache key")}},
16321631
},
16331632
withHashing: {
1634-
cacheKeys: []string{"test-cache-key", ".."},
1635-
usesEnvFile: []bool{true, false},
1633+
cacheKeys: []string{"test-cache-key", ".."},
16361634
},
16371635
},
16381636
},
@@ -1646,9 +1644,23 @@ func TestAbstractShell_extractCacheWithDefaultFallbackKey(t *testing.T) {
16461644
warning: []any{"CACHE_FALLBACK_KEY %q not allowed to end in %q", "main-protected", "-protected"},
16471645
},
16481646
withHashing: {
1649-
cacheKeys: []string{"test-cache-key"},
1650-
warning: []any{"CACHE_FALLBACK_KEY %q not allowed to end in %q", "main-protected", "-protected"},
1651-
usesEnvFile: []bool{true},
1647+
cacheKeys: []string{"test-cache-key"},
1648+
warning: []any{"CACHE_FALLBACK_KEY %q not allowed to end in %q", "main-protected", "-protected"},
1649+
},
1650+
},
1651+
},
1652+
"using trailing dot suffix": {
1653+
cacheType: "test",
1654+
cacheKey: "test-cache-key",
1655+
cacheFallbackKeyVarValue: "main-protected.",
1656+
expectations: map[hashMode]expectations{
1657+
withoutHashing: {
1658+
cacheKeys: []string{"test-cache-key"},
1659+
warning: []any{"CACHE_FALLBACK_KEY %q not allowed to end in %q", "main-protected.", "-protected"},
1660+
},
1661+
withHashing: {
1662+
cacheKeys: []string{"test-cache-key"},
1663+
warning: []any{"CACHE_FALLBACK_KEY %q not allowed to end in %q", "main-protected.", "-protected"},
16521664
},
16531665
},
16541666
},
@@ -1679,8 +1691,7 @@ func TestAbstractShell_extractCacheWithDefaultFallbackKey(t *testing.T) {
16791691
notices: [][]any{{`Skipping cache extraction due to %v`, fmt.Errorf("empty cache key")}},
16801692
},
16811693
withHashing: {
1682-
cacheKeys: []string{"some-job-name/some-ref-name", "."},
1683-
usesEnvFile: []bool{true, false},
1694+
cacheKeys: []string{"some-job-name/some-ref-name", "."},
16841695
},
16851696
},
16861697
},

0 commit comments

Comments
 (0)