diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-22 21:44:12 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-22 21:44:12 +0300 |
commit | 34d6370bacdf1849de3618f23faaa9de76612e31 (patch) | |
tree | 1420e018fea4068504d059141212502e6f9ac040 /app | |
parent | 727b75d3e8ecb88c70edbb017f29a8da302656c0 (diff) |
Add latest changes from gitlab-org/security/gitlab@16-0-stable-eev16.0.1
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/concerns/uploads_actions.rb | 6 | ||||
-rw-r--r-- | app/uploaders/object_storage.rb | 2 |
2 files changed, 8 insertions, 0 deletions
diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb index db756ae336f..0d64a685065 100644 --- a/app/controllers/concerns/uploads_actions.rb +++ b/app/controllers/concerns/uploads_actions.rb @@ -10,6 +10,10 @@ module UploadsActions included do prepend_before_action :set_request_format_from_path_extension rescue_from FileUploader::InvalidSecret, with: :render_404 + + rescue_from ::Gitlab::Utils::PathTraversalAttackError do + head :bad_request + end end def create @@ -33,6 +37,8 @@ module UploadsActions # - or redirect to its URL # def show + Gitlab::Utils.check_path_traversal!(params[:filename]) + return render_404 unless uploader&.exists? ttl, directives = *cache_settings diff --git a/app/uploaders/object_storage.rb b/app/uploaders/object_storage.rb index 4188e0caa8e..0a30f0e99f7 100644 --- a/app/uploaders/object_storage.rb +++ b/app/uploaders/object_storage.rb @@ -410,6 +410,8 @@ module ObjectStorage end def retrieve_from_store!(identifier) + Gitlab::Utils.check_path_traversal!(identifier) + # We need to force assign the value of @filename so that we will still # get the original_filename in cases wherein the file points to a random generated # path format. This happens for direct uploaded files to final location. |