Check snippet attached file to be moved is within designated directory

Previously one could move any temp/ sub folder around. Align spec with actual usage, as currently we pass temp file path to FileMover.
author: Mark Chao <mchao@gitlab.com> 2019-02-13 11:23:58 +0300
committer: Mark Chao <mchao@gitlab.com> 2019-02-21 11:43:50 +0300
commit: 7fa334135f3afe82bd9ec7855cbc8bc7e92912dd (patch)
tree: a88878df251f62f5c7740b5a9a1cba52ac21b70a /app
parent: c5b5b18b3f1c5b683ceb4471e667d675de9200eb (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/app/uploaders/file_mover.rb b/app/uploaders/file_mover.rb
index a7f8615e9ba..236b7ed2b3d 100644
--- a/app/uploaders/file_mover.rb
+++ b/app/uploaders/file_mover.rb
@@ -11,6 +11,8 @@ class FileMover
   end
 
   def execute
+    return unless valid?
+
     move
 
     if update_markdown
@@ -21,6 +23,12 @@ class FileMover
 
   private
 
+  def valid?
+    Pathname.new(temp_file_path).realpath.to_path.start_with?(
+      (Pathname(temp_file_uploader.root) + temp_file_uploader.base_dir).to_path
+    )
+  end
+
   def move
     FileUtils.mkdir_p(File.dirname(file_path))
     FileUtils.move(temp_file_path, file_path)
author	Mark Chao <mchao@gitlab.com>	2019-02-13 11:23:58 +0300
committer	Mark Chao <mchao@gitlab.com>	2019-02-21 11:43:50 +0300
commit	7fa334135f3afe82bd9ec7855cbc8bc7e92912dd (patch)
tree	a88878df251f62f5c7740b5a9a1cba52ac21b70a /app
parent	c5b5b18b3f1c5b683ceb4471e667d675de9200eb (diff)