diff options
author | Stan Hu <stanhu@gmail.com> | 2018-07-11 20:59:56 +0300 |
---|---|---|
committer | Alessio Caiazza <acaiazza@gitlab.com> | 2018-07-17 11:30:52 +0300 |
commit | eda8156e5c2b9bd026e7f56c0fa36e7cd7007df5 (patch) | |
tree | cd8ceb5649bb4b21288089a1b18639425ad552e9 /lib/gitlab/import_export | |
parent | 7f0431dd8550ac9d229d1383c03386c1634d015f (diff) |
Fix symlink vulnerability in project import
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/49133
Diffstat (limited to 'lib/gitlab/import_export')
-rw-r--r-- | lib/gitlab/import_export/file_importer.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/gitlab/import_export/file_importer.rb b/lib/gitlab/import_export/file_importer.rb index 0f4c3498036..de36adc1d5a 100644 --- a/lib/gitlab/import_export/file_importer.rb +++ b/lib/gitlab/import_export/file_importer.rb @@ -4,6 +4,7 @@ module Gitlab include Gitlab::ImportExport::CommandLineUtil MAX_RETRIES = 8 + WHITELISTED_FILENAMES = %w(. ..).freeze def self.import(*args) new(*args).import @@ -59,7 +60,7 @@ module Gitlab end def extracted_files - Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ %r{.*/\.{1,2}$} } + Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| WHITELISTED_FILENAMES.include?(File.basename(f)) } end end end |