Merge branch 'security-56348' into 'master'

Check snippet attached file to be moved is within designated directory Closes #2806 See merge request gitlab/gitlabhq!2903
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 21:36:45 +0300
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 21:36:45 +0300
commit: 9e4a9cda8cf0f77475195bf980a14da70ddd42a5 (patch)
tree: 7b3527f1485a6df5b9868ec02bb9759a5abf8986 /app
parent: fa2f136f85f4e56ecd5ec2797cc1f58eec09f8ea (diff)
parent: d72b1cd0b5b01d6fec6b93d9dfe84f8302083072 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/app/uploaders/file_mover.rb b/app/uploaders/file_mover.rb
index a7f8615e9ba..236b7ed2b3d 100644
--- a/app/uploaders/file_mover.rb
+++ b/app/uploaders/file_mover.rb
@@ -11,6 +11,8 @@ class FileMover
   end
 
   def execute
+    return unless valid?
+
     move
 
     if update_markdown
@@ -21,6 +23,12 @@ class FileMover
 
   private
 
+  def valid?
+    Pathname.new(temp_file_path).realpath.to_path.start_with?(
+      (Pathname(temp_file_uploader.root) + temp_file_uploader.base_dir).to_path
+    )
+  end
+
   def move
     FileUtils.mkdir_p(File.dirname(file_path))
     FileUtils.move(temp_file_path, file_path)
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 21:36:45 +0300
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 21:36:45 +0300
commit	9e4a9cda8cf0f77475195bf980a14da70ddd42a5 (patch)
tree	7b3527f1485a6df5b9868ec02bb9759a5abf8986 /app
parent	fa2f136f85f4e56ecd5ec2797cc1f58eec09f8ea (diff)
parent	d72b1cd0b5b01d6fec6b93d9dfe84f8302083072 (diff)