From 34d6370bacdf1849de3618f23faaa9de76612e31 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 22 May 2023 18:44:12 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@16-0-stable-ee --- app/controllers/concerns/uploads_actions.rb | 6 ++++++ app/uploaders/object_storage.rb | 2 ++ 2 files changed, 8 insertions(+) (limited to 'app') diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb index db756ae336f..0d64a685065 100644 --- a/app/controllers/concerns/uploads_actions.rb +++ b/app/controllers/concerns/uploads_actions.rb @@ -10,6 +10,10 @@ module UploadsActions included do prepend_before_action :set_request_format_from_path_extension rescue_from FileUploader::InvalidSecret, with: :render_404 + + rescue_from ::Gitlab::Utils::PathTraversalAttackError do + head :bad_request + end end def create @@ -33,6 +37,8 @@ module UploadsActions # - or redirect to its URL # def show + Gitlab::Utils.check_path_traversal!(params[:filename]) + return render_404 unless uploader&.exists? ttl, directives = *cache_settings diff --git a/app/uploaders/object_storage.rb b/app/uploaders/object_storage.rb index 4188e0caa8e..0a30f0e99f7 100644 --- a/app/uploaders/object_storage.rb +++ b/app/uploaders/object_storage.rb @@ -410,6 +410,8 @@ module ObjectStorage end def retrieve_from_store!(identifier) + Gitlab::Utils.check_path_traversal!(identifier) + # We need to force assign the value of @filename so that we will still # get the original_filename in cases wherein the file points to a random generated # path format. This happens for direct uploaded files to final location. -- cgit v1.2.3