diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-22 21:44:12 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-22 21:44:12 +0300 |
commit | 34d6370bacdf1849de3618f23faaa9de76612e31 (patch) | |
tree | 1420e018fea4068504d059141212502e6f9ac040 /app/controllers | |
parent | 727b75d3e8ecb88c70edbb017f29a8da302656c0 (diff) |
Add latest changes from gitlab-org/security/gitlab@16-0-stable-eev16.0.1
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/concerns/uploads_actions.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb index db756ae336f..0d64a685065 100644 --- a/app/controllers/concerns/uploads_actions.rb +++ b/app/controllers/concerns/uploads_actions.rb @@ -10,6 +10,10 @@ module UploadsActions included do prepend_before_action :set_request_format_from_path_extension rescue_from FileUploader::InvalidSecret, with: :render_404 + + rescue_from ::Gitlab::Utils::PathTraversalAttackError do + head :bad_request + end end def create @@ -33,6 +37,8 @@ module UploadsActions # - or redirect to its URL # def show + Gitlab::Utils.check_path_traversal!(params[:filename]) + return render_404 unless uploader&.exists? ttl, directives = *cache_settings |