diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-18 14:18:50 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-18 14:18:50 +0300 |
commit | 8c7f4e9d5f36cff46365a7f8c4b9c21578c1e781 (patch) | |
tree | a77e7fe7a93de11213032ed4ab1f33a3db51b738 /lib/gitlab/gfm | |
parent | 00b35af3db1abfe813a778f643dad221aad51fca (diff) |
Add latest changes from gitlab-org/gitlab@13-1-stable-ee
Diffstat (limited to 'lib/gitlab/gfm')
-rw-r--r-- | lib/gitlab/gfm/uploads_rewriter.rb | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/lib/gitlab/gfm/uploads_rewriter.rb b/lib/gitlab/gfm/uploads_rewriter.rb index 23af0a9bb18..08321d5fda6 100644 --- a/lib/gitlab/gfm/uploads_rewriter.rb +++ b/lib/gitlab/gfm/uploads_rewriter.rb @@ -22,9 +22,10 @@ module Gitlab return @text unless needs_rewrite? @text.gsub(@pattern) do |markdown| - Gitlab::Utils.check_path_traversal!($~[:file]) + file = find_file($~[:secret], $~[:file]) + # No file will be returned for a path traversal + next if file.nil? - file = find_file(@source_project, $~[:secret], $~[:file]) break markdown unless file.try(:exists?) klass = target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader @@ -47,7 +48,7 @@ module Gitlab def files referenced_files = @text.scan(@pattern).map do - find_file(@source_project, $~[:secret], $~[:file]) + find_file($~[:secret], $~[:file]) end referenced_files.compact.select(&:exists?) @@ -57,12 +58,8 @@ module Gitlab markdown.starts_with?("!") end - private - - def find_file(project, secret, file) - uploader = FileUploader.new(project, secret: secret) - uploader.retrieve_from_store!(file) - uploader + def find_file(secret, file_name) + UploaderFinder.new(@source_project, secret, file_name).execute end end end |