Merge branch 'import-symlinks-9-3' into 'security-9-3'

Fix file disclosure via hidden symlinks using the project import (9.3) See merge request !2164
author: James Edwards-Jones <jedwardsjones@gitlab.com> 2017-08-09 00:18:02 +0300
committer: James Edwards-Jones <jedwardsjones@gitlab.com> 2017-08-10 22:42:01 +0300
commit: 334915d50884e54ed8034b4b8820f285b14837c5 (patch)
tree: cd4e834ef0f83714cdbcc63f5780e9c7c6de42b1 /lib
parent: 4c7ada21c0502879ae8700225723043df864c490 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/gitlab/import_export/file_importer.rb b/lib/gitlab/import_export/file_importer.rb
index ffd17118c91..989342389bc 100644
--- a/lib/gitlab/import_export/file_importer.rb
+++ b/lib/gitlab/import_export/file_importer.rb
@@ -47,12 +47,16 @@ module Gitlab
       end
 
       def remove_symlinks!
-        Dir["#{@shared.export_path}/**/*"].each do |path|
+        extracted_files.each do |path|
           FileUtils.rm(path) if File.lstat(path).symlink?
         end
 
         true
       end
+
+      def extracted_files
+        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ /.*\/\.{1,2}$/ }
+      end
     end
   end
 end
author	James Edwards-Jones <jedwardsjones@gitlab.com>	2017-08-09 00:18:02 +0300
committer	James Edwards-Jones <jedwardsjones@gitlab.com>	2017-08-10 22:42:01 +0300
commit	334915d50884e54ed8034b4b8820f285b14837c5 (patch)
tree	cd4e834ef0f83714cdbcc63f5780e9c7c6de42b1 /lib
parent	4c7ada21c0502879ae8700225723043df864c490 (diff)