Feature #17164: file:/// repository insecure - Redmine

Actions

Copy link

Feature #17164

closed

file:/// repository insecure

Added by John Pham over 9 years ago. Updated almost 9 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

SCM

Target version:

Start date:

Due date:

% Done:

Estimated time:

Resolution:

Duplicate

Description

Could there be a way to restrict file:/// URLs in repositories? If, SVN projects are accessible by the webserver (likely if using dav_svn) anyone with permissions to add a repository has unrestricted access to any repository on the webserver viewable by the server process, almost equivalent to filesystem access.

Related issues

Actions

Copy link

Updated by Go MAEDA over 9 years ago

Save the following code as 'config/initializers/99-restrect-svn-file-scheme.rb' and restart Redmine. You will be not able to set 'file:///.....'.

require_dependency 'repository/subversion.rb'

module RestrictSvnFileScheme

  def self.included(base)
    base.send(:include, WrapperMethods)

    base.class_eval do
      alias_method_chain :url=, :restrict_file_scheme
    end
  end

  module WrapperMethods
    def url_with_restrict_file_scheme=(v)
      write_attribute(:url, v) if v !~ %r|\Afile://|i
    end
  end
end

Repository::Subversion.send(:include, RestrictSvnFileScheme)

Actions

Copy link

Updated by John Pham over 9 years ago

I got the following error on 2.4.2 (ubuntu 14.04 package):

uninitialized constant Redmine::Scm::Adapters::AbstractAdapter::CommandFailed (NameError)
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:30:in `<class:AbstractAdapter>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:27:in `<module:Adapters>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:26:in `<module:Scm>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:25:in `<module:Redmine>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:24:in `<top (required)>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/subversion_adapter.rb:18:in `<top (required)>'
  /var/lib/redmine/default/passenger/app/models/repository/subversion.rb:18:in `<top (required)>'
  /var/lib/redmine/default/passenger/config/initializers/99-restrict-svn-file-schema.rb:1:in `<top (required)>'
  /usr/lib/ruby/vendor_ruby/rails/engine.rb:593:in `block (2 levels) in <class:Engine>'
  /usr/lib/ruby/vendor_ruby/rails/engine.rb:592:in `each'
  /usr/lib/ruby/vendor_ruby/rails/engine.rb:592:in `block in <class:Engine>'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:30:in `instance_exec'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:30:in `run'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:55:in `block in run_initializers'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:54:in `each'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:54:in `run_initializers'
  /usr/lib/ruby/vendor_ruby/rails/application.rb:136:in `initialize!'
  /usr/lib/ruby/vendor_ruby/rails/railtie/configurable.rb:30:in `method_missing'
  /var/lib/redmine/default/passenger/config/environment.rb:14:in `<top (required)>'
  config.ru:3:in `require'
  config.ru:3:in `block in <main>'
  /usr/lib/ruby/vendor_ruby/rack/builder.rb:51:in `instance_eval'
  /usr/lib/ruby/vendor_ruby/rack/builder.rb:51:in `initialize'
  config.ru:1:in `new'
  config.ru:1:in `<main>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `eval'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `preload_app'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:158:in `<module:App>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:29:in `<module:PhusionPassenger>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:28:in `<main>'

but adding

class CommandFailed < StandardError #:nodoc:
end

seems to fix it. Thanks!

Actions

Copy link

Updated by Go MAEDA almost 9 years ago

Related to Defect #18291: Path property security issue when adding filesystem repository added

Actions

Copy link

Updated by Jean-Philippe Lang almost 9 years ago

Status changed from New to Closed
Resolution set to Duplicate

Closing as a dup of #1415 which is addressed for 3.0 by adding configuration settings to limit valid repository path.

Actions

Copy link

Updated by Jean-Philippe Lang almost 9 years ago

Related to deleted (Defect #18291: Path property security issue when adding filesystem repository)

Actions

Copy link

Updated by Jean-Philippe Lang almost 9 years ago

Related to Feature #1415: Let system administrator limit repositories valid sources added

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Redmine

Custom queries

Feature #17164

file:/// repository insecure

Updated by Go MAEDA over 9 years ago

Updated by John Pham over 9 years ago

Updated by Go MAEDA almost 9 years ago

Updated by Jean-Philippe Lang almost 9 years ago

Updated by Jean-Philippe Lang almost 9 years ago

Updated by Jean-Philippe Lang almost 9 years ago