Merge branch 'fix-issue-49133' into 'master'

Fix symlink vulnerability in project import See merge request gitlab/gitlabhq!2440
author: José Iván Vargas López <jvargas@gitlab.com> 2018-07-18 01:04:29 +0300
committer: José Iván Vargas López <jvargas@gitlab.com> 2018-07-18 01:04:29 +0300
commit: 465da1c7b48173ff01ca6447d390b999643eb9c4 (patch)
tree: 538610fbb25dfb73acf847f81c8d4e06dab6af1f /lib
parent: ffa970a5d227352cbd6ee8d0702cbb138287ec56 (diff)
parent: 1025059d1f15afa3ec55e7fff78633c517d0c3c2 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/gitlab/import_export/file_importer.rb b/lib/gitlab/import_export/file_importer.rb
index 0f4c3498036..4c411f4847e 100644
--- a/lib/gitlab/import_export/file_importer.rb
+++ b/lib/gitlab/import_export/file_importer.rb
@@ -4,6 +4,7 @@ module Gitlab
       include Gitlab::ImportExport::CommandLineUtil
 
       MAX_RETRIES = 8
+      IGNORED_FILENAMES = %w(. ..).freeze
 
       def self.import(*args)
         new(*args).import
@@ -59,7 +60,7 @@ module Gitlab
       end
 
       def extracted_files
-        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ %r{.*/\.{1,2}$} }
+        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| IGNORED_FILENAMES.include?(File.basename(f)) }
       end
     end
   end
author	José Iván Vargas López <jvargas@gitlab.com>	2018-07-18 01:04:29 +0300
committer	José Iván Vargas López <jvargas@gitlab.com>	2018-07-18 01:04:29 +0300
commit	465da1c7b48173ff01ca6447d390b999643eb9c4 (patch)
tree	538610fbb25dfb73acf847f81c8d4e06dab6af1f /lib
parent	ffa970a5d227352cbd6ee8d0702cbb138287ec56 (diff)
parent	1025059d1f15afa3ec55e7fff78633c517d0c3c2 (diff)