安全RCE之未授权访问分析(21)

总结下这部分的调用结构和流程：

gitlab-rails处理认证请求

rails部分的处理是比较关键的，只有在rails正确授权才能上传文件。rails中关于uploads接口的路由文件位于config/routes/uploads.rb内。其中一条路由规则为
post ":model/authorize", to: "uploads#authorize", constraints: { model: /personal_snippet|user/ }
请求/uploads/user/authorize将匹配这条规则，调用controlleruploads中的action。
controller定义位于app/controllers/uploads_controller.rb，在头部include了UploadsActions所在的文件。在其中摘抄出关键的代码如下：
class UploadsController < ApplicationController include UploadsActions include WorkhorseRequest # ... #跳过登录鉴权 skip_before_action :authenticate_user! before_action :authorize_create_access!, only: [:create, :authorize] before_action :verify_workhorse_api!, only: [:authorize] # ... def find_model return unless params[:id] upload_model_class.find(params[:id]) end # ... def authorize_create_access! #unless和if的作用相反 return unless model authorized = case model when User can?(current_user, :update_user, model) else can?(current_user, :create_note, model) end render_unauthorized unless authorized end def render_unauthorized if current_user || workhorse_authorize_request? render_404 else authenticate_user! end end # ...