Add latest changes from gitlab-org/gitlab@13-4-stable-ee

1 files changed, 27 insertions, 2 deletions

diff --git a/lib/uploaded_file.rb b/lib/uploaded_file.rb
index 73029c934f4..cd5943b552e 100644
--- a/lib/uploaded_file.rb
+++ b/lib/uploaded_file.rb
@@ -42,6 +42,32 @@ class UploadedFile
     @remote_id = remote_id
   end
 
+  def self.from_params_without_field(params, upload_paths)
+    path = params['path']
+    remote_id = params['remote_id']
+    return if path.blank? && remote_id.blank?
+
+    # don't use file_path if remote_id is set
+    if remote_id.present?
+      file_path = nil
+    elsif path.present?
+      file_path = File.realpath(path)
+
+      unless self.allowed_path?(file_path, Array(upload_paths).compact)
+        raise InvalidPathError, "insecure path used '#{file_path}'"
+      end
+    end
+
+    UploadedFile.new(
+      file_path,
+      filename: params['name'],
+      content_type: params['type'] || 'application/octet-stream',
+      sha256: params['sha256'],
+      remote_id: remote_id,
+      size: params['size']
+    )
+  end
+
   def self.from_params(params, field, upload_paths, path_override = nil)
     path = path_override || params["#{field}.path"]
     remote_id = params["#{field}.remote_id"]
@@ -52,8 +78,7 @@ class UploadedFile
     elsif path.present?
       file_path = File.realpath(path)
 
-      paths = Array(upload_paths) << Dir.tmpdir
-      unless self.allowed_path?(file_path, paths.compact)
+      unless self.allowed_path?(file_path, Array(upload_paths).compact)
         raise InvalidPathError, "insecure path used '#{file_path}'"
       end
     end