Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-02-27 00:09:11 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-02-27 00:09:11 +0300
commit: f82d5dcab7c3d9a672abc827c92f86887b683a7d (patch)
tree: 4a4379a82ab825185aaeafdfb9eb0f9029dc286c /lib/gitlab/utils.rb
parent: 619d0b6922a6cf95d291fbbf5fa3d09e772a1ea8 (diff)
1 files changed, 13 insertions, 3 deletions
diff --git a/lib/gitlab/utils.rb b/lib/gitlab/utils.rb
index 7eddfc471f6..5727e73e725 100644
--- a/lib/gitlab/utils.rb
+++ b/lib/gitlab/utils.rb
@@ -5,10 +5,20 @@ module Gitlab
     extend self
 
     # Ensure that the relative path will not traverse outside the base directory
-    def check_path_traversal!(path)
-      raise StandardError.new("Invalid path") if path.start_with?("..#{File::SEPARATOR}") ||
+    # We url decode the path to avoid passing invalid paths forward in url encoded format.
+    # We are ok to pass some double encoded paths to File.open since they won't resolve.
+    # Also see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/24223#note_284122580
+    # It also checks for ALT_SEPARATOR aka '\' (forward slash)
+    def check_path_traversal!(path, allowed_absolute: false)
+      path = CGI.unescape(path)
+
+      if path.start_with?("..#{File::SEPARATOR}", "..#{File::ALT_SEPARATOR}") ||
           path.include?("#{File::SEPARATOR}..#{File::SEPARATOR}") ||
-          path.end_with?("#{File::SEPARATOR}..")
+          path.end_with?("#{File::SEPARATOR}..") ||
+          (!allowed_absolute && Pathname.new(path).absolute?)
+
+        raise StandardError.new("Invalid path")
+      end
 
       path
     end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-02-27 00:09:11 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-02-27 00:09:11 +0300
commit	f82d5dcab7c3d9a672abc827c92f86887b683a7d (patch)
tree	4a4379a82ab825185aaeafdfb9eb0f9029dc286c /lib/gitlab/utils.rb
parent	619d0b6922a6cf95d291fbbf5fa3d09e772a1ea8 (diff)