昨天看到oschina上的 报道,gitlab存在权限泄露漏洞。幸运的是官方同时释放出新版并给出了修复方案。私人的代码仓库基于gitlab搭建,所以也必须修复,以防被恶意利用。
打开gitlab的官方博客的 更新说明,内容基本上和 oschina的报道 一致。于是按照官方指引修复:
更新gitlab到最新版:
yum update -y gitlab-ce
新建
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/reset_token.rake
文件,并往文件中输入以下内容:
# lib/tasks/reset_token.rake require_relative '../../app/models/concerns/token_authenticatable.rb' STDOUT.sync = true namespace :tokens do desc "Reset all GitLab user auth tokens" task reset_all: :environment do reset_all_users_token(:reset_authentication_token!) end desc "Reset all GitLab email tokens" task reset_all_email: :environment do reset_all_users_token(:reset_incoming_email_token!) end def reset_all_users_token(token) TmpUser.find_in_batches do |batch| puts "Processing batch starting with user ID: #{batch.first.id}" batch.each(&token) end end end class TmpUser < ActiveRecord::Base include TokenAuthenticatable self.table_name = 'users' def reset_authentication_token! write_new_token(:authentication_token) save!(validate: false) end def reset_incoming_email_token! write_new_token(:incoming_email_token) save!(validate: false) end end
- 执行token重置命令:
sudo gitlab-rake tokens:reset_all sudo gitlab-rake tokens:reset_all_email
成功的大致输出为:Processing batch starting with user ID: xxx
修复过程中有个插曲:对于用包管理的用户,以为建立文件即可。运行gitlab-rake tokens:reset_all
时会出现错误提示:
D, [2017-03-22T10:44:47.573742 #22045] DEBUG -- sentry: ** [Raven] Don't know how to build task 'tokens:r eset_all' (see --tasks) excluded from capture due to environment or should_capture callback rake aborted! Don't know how to build task 'tokens:reset_all' (see --tasks)
在官方论坛上,有人就这个输出发了一个 issue(犯了和我同样的错误),还好大神很快就出来解答了^_`