Merge remote-tracking branch 'dev/12-9-stable' into 12-9-stable

author: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2020-03-26 20:56:41 +0300
committer: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2020-03-26 20:56:41 +0300
commit: e5121cd2a1ea1df276317fa68765e969a0b21eae (patch)
tree: 3b9732ce48aab909276c030b9a60d1c12cee2525 /lib/gitlab/gfm/uploads_rewriter.rb
parent: 4ee3ab616fc8b89b957b531294b67097941e49f6 (diff)
parent: 63745c932cc8bc81fc2b2d30e9a171e346f4b969 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/gitlab/gfm/uploads_rewriter.rb b/lib/gitlab/gfm/uploads_rewriter.rb
index 6b52d6e88e5..23af0a9bb18 100644
--- a/lib/gitlab/gfm/uploads_rewriter.rb
+++ b/lib/gitlab/gfm/uploads_rewriter.rb
@@ -22,6 +22,8 @@ module Gitlab
         return @text unless needs_rewrite?
 
         @text.gsub(@pattern) do |markdown|
+          Gitlab::Utils.check_path_traversal!($~[:file])
+
           file = find_file(@source_project, $~[:secret], $~[:file])
           break markdown unless file.try(:exists?)
author	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2020-03-26 20:56:41 +0300
committer	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2020-03-26 20:56:41 +0300
commit	e5121cd2a1ea1df276317fa68765e969a0b21eae (patch)
tree	3b9732ce48aab909276c030b9a60d1c12cee2525 /lib/gitlab/gfm/uploads_rewriter.rb
parent	4ee3ab616fc8b89b957b531294b67097941e49f6 (diff)
parent	63745c932cc8bc81fc2b2d30e9a171e346f4b969 (diff)