Fix symlink vulnerability in project import

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/49133
author: Stan Hu <stanhu@gmail.com> 2018-07-11 20:59:56 +0300
committer: Alessio Caiazza <acaiazza@gitlab.com> 2018-07-17 11:30:52 +0300
commit: eda8156e5c2b9bd026e7f56c0fa36e7cd7007df5 (patch)
tree: cd8ceb5649bb4b21288089a1b18639425ad552e9 /lib/gitlab/import_export
parent: 7f0431dd8550ac9d229d1383c03386c1634d015f (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/gitlab/import_export/file_importer.rb b/lib/gitlab/import_export/file_importer.rb
index 0f4c3498036..de36adc1d5a 100644
--- a/lib/gitlab/import_export/file_importer.rb
+++ b/lib/gitlab/import_export/file_importer.rb
@@ -4,6 +4,7 @@ module Gitlab
       include Gitlab::ImportExport::CommandLineUtil
 
       MAX_RETRIES = 8
+      WHITELISTED_FILENAMES = %w(. ..).freeze
 
       def self.import(*args)
         new(*args).import
@@ -59,7 +60,7 @@ module Gitlab
       end
 
       def extracted_files
-        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ %r{.*/\.{1,2}$} }
+        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| WHITELISTED_FILENAMES.include?(File.basename(f)) }
       end
     end
   end
author	Stan Hu <stanhu@gmail.com>	2018-07-11 20:59:56 +0300
committer	Alessio Caiazza <acaiazza@gitlab.com>	2018-07-17 11:30:52 +0300
commit	eda8156e5c2b9bd026e7f56c0fa36e7cd7007df5 (patch)
tree	cd8ceb5649bb4b21288089a1b18639425ad552e9 /lib/gitlab/import_export
parent	7f0431dd8550ac9d229d1383c03386c1634d015f (diff)