1 files changed, 18 insertions, 2 deletions

diff --git a/spec/lib/bulk_imports/common/pipelines/uploads_pipeline_spec.rb b/spec/lib/bulk_imports/common/pipelines/uploads_pipeline_spec.rb
index 7a93365d098..35ca67c8a4c 100644
--- a/spec/lib/bulk_imports/common/pipelines/uploads_pipeline_spec.rb
+++ b/spec/lib/bulk_imports/common/pipelines/uploads_pipeline_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe BulkImports::Common::Pipelines::UploadsPipeline do
+RSpec.describe BulkImports::Common::Pipelines::UploadsPipeline, feature_category: :import do
   let_it_be(:project) { create(:project) }
   let_it_be(:group) { create(:group) }
 
@@ -103,7 +103,9 @@ RSpec.describe BulkImports::Common::Pipelines::UploadsPipeline do
 
       context 'when dynamic path is nil' do
         it 'returns' do
-          expect { pipeline.load(context, File.join(tmpdir, 'test')) }.not_to change { portable.uploads.count }
+          path = File.join(tmpdir, 'test')
+          FileUtils.touch(path)
+          expect { pipeline.load(context, path) }.not_to change { portable.uploads.count }
         end
       end
 
@@ -122,6 +124,20 @@ RSpec.describe BulkImports::Common::Pipelines::UploadsPipeline do
           expect { pipeline.load(context, symlink) }.not_to change { portable.uploads.count }
         end
       end
+
+      context 'when path traverses' do
+        it 'does not upload the file' do
+          path_traversal = "#{uploads_dir_path}/avatar/../../../../etc/passwd"
+          expect { pipeline.load(context, path_traversal) }.to not_change { portable.uploads.count }.and raise_error(Gitlab::Utils::PathTraversalAttackError)
+        end
+      end
+
+      context 'when path is outside the tmpdir' do
+        it 'does not upload the file' do
+          path = "/etc/passwd"
+          expect { pipeline.load(context, path) }.to not_change { portable.uploads.count }.and raise_error(StandardError, /not allowed/)
+        end
+      end
     end
 
     describe '#after_run' do