Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-29 01:02:13 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-29 01:02:23 +0300
commit: cda92b051261cb820ed3ea9683865aeb85890411 (patch)
tree: c1c49629eb0aebd9806775d56eb329797d6ecfc0 /lib
parent: cbc166ca72db07da07995c60bbbf4e83ba30699d (diff)
1 files changed, 31 insertions, 18 deletions
diff --git a/lib/gitlab/gfm/uploads_rewriter.rb b/lib/gitlab/gfm/uploads_rewriter.rb
index b0bf68f4204..58b46a85aae 100644
--- a/lib/gitlab/gfm/uploads_rewriter.rb
+++ b/lib/gitlab/gfm/uploads_rewriter.rb
@@ -23,33 +23,24 @@ module Gitlab
       def rewrite(target_parent)
         return @text unless needs_rewrite?
 
-        @text.gsub!(@pattern) do |markdown|
-          file = find_file($~[:secret], $~[:file])
-          # No file will be returned for a path traversal
-          next if file.nil?
+        @target_parent = target_parent
 
-          break markdown unless file.try(:exists?)
-
-          klass = target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader
-          moved = klass.copy_to(file, target_parent)
-
-          moved_markdown = moved.markdown_link
-
-          # Prevents rewrite of plain links as embedded
-          if was_embedded?(markdown)
-            moved_markdown
-          else
-            moved_markdown.delete_prefix('!')
-          end
+        rewritten_text = Gitlab::StringRegexMarker.new(@text).mark(@pattern) do |markdown, left:, right:, mode:|
+          transform_markdown(markdown)
         end
+
+        # MarkdownContentRewriterService relies on the text being changed _in place_.
+        @text.gsub!(@text, rewritten_text)
       end
 
       def needs_rewrite?
         strong_memoize(:needs_rewrite) do
-          FileUploader::MARKDOWN_PATTERN.match?(@text)
+          @pattern.match?(@text)
         end
       end
 
+      private
+
       def was_embedded?(markdown)
         markdown.starts_with?("!")
       end
@@ -57,6 +48,28 @@ module Gitlab
       def find_file(secret, file_name)
         UploaderFinder.new(@source_project, secret, file_name).execute
       end
+
+      def transform_markdown(markdown)
+        match = @pattern.match(markdown)
+        file = find_file(match[:secret], match[:file])
+
+        # No file will be returned for a path traversal
+        return '' if file.nil?
+
+        return markdown unless file.try(:exists?)
+
+        klass = @target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader
+        moved = klass.copy_to(file, @target_parent)
+
+        moved_markdown = moved.markdown_link
+
+        # Prevents rewrite of plain links as embedded
+        if was_embedded?(markdown)
+          moved_markdown
+        else
+          moved_markdown.delete_prefix('!')
+        end
+      end
     end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-29 01:02:13 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-29 01:02:23 +0300
commit	cda92b051261cb820ed3ea9683865aeb85890411 (patch)
tree	c1c49629eb0aebd9806775d56eb329797d6ecfc0 /lib
parent	cbc166ca72db07da07995c60bbbf4e83ba30699d (diff)