diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-02-27 00:09:11 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-02-27 00:09:11 +0300 |
commit | f82d5dcab7c3d9a672abc827c92f86887b683a7d (patch) | |
tree | 4a4379a82ab825185aaeafdfb9eb0f9029dc286c /lib/gitlab/utils.rb | |
parent | 619d0b6922a6cf95d291fbbf5fa3d09e772a1ea8 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab/utils.rb')
-rw-r--r-- | lib/gitlab/utils.rb | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/lib/gitlab/utils.rb b/lib/gitlab/utils.rb index 7eddfc471f6..5727e73e725 100644 --- a/lib/gitlab/utils.rb +++ b/lib/gitlab/utils.rb @@ -5,10 +5,20 @@ module Gitlab extend self # Ensure that the relative path will not traverse outside the base directory - def check_path_traversal!(path) - raise StandardError.new("Invalid path") if path.start_with?("..#{File::SEPARATOR}") || + # We url decode the path to avoid passing invalid paths forward in url encoded format. + # We are ok to pass some double encoded paths to File.open since they won't resolve. + # Also see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/24223#note_284122580 + # It also checks for ALT_SEPARATOR aka '\' (forward slash) + def check_path_traversal!(path, allowed_absolute: false) + path = CGI.unescape(path) + + if path.start_with?("..#{File::SEPARATOR}", "..#{File::ALT_SEPARATOR}") || path.include?("#{File::SEPARATOR}..#{File::SEPARATOR}") || - path.end_with?("#{File::SEPARATOR}..") + path.end_with?("#{File::SEPARATOR}..") || + (!allowed_absolute && Pathname.new(path).absolute?) + + raise StandardError.new("Invalid path") + end path end |