From ce1fa35a553be562ada3717d90908d8b4b12d9ad Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 27 Apr 2020 21:03:39 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee

---
 lib/gitlab/middleware/multipart.rb | 18 ++++++++++--------
 lib/uploaded_file.rb               |  9 +++++----
 2 files changed, 15 insertions(+), 12 deletions(-)

(limited to 'lib')

diff --git a/lib/gitlab/middleware/multipart.rb b/lib/gitlab/middleware/multipart.rb
index c82c05e7319..7d0de3aee1c 100644
--- a/lib/gitlab/middleware/multipart.rb
+++ b/lib/gitlab/middleware/multipart.rb
@@ -43,11 +43,13 @@ module Gitlab
             raise "unexpected field: #{field.inspect}" unless parsed_field.count == 1
 
             key, value = parsed_field.first
-            if value.nil?
-              value = open_file(@request.params, key)
+            if value.nil? # we have a top level param, eg. field = 'foo' and not 'foo[bar]'
+              raise "invalid field: #{field.inspect}" if field != key
+
+              value = open_file(@request.params, key, tmp_path.presence)
               @open_files << value
             else
-              value = decorate_params_value(value, @request.params[key])
+              value = decorate_params_value(value, @request.params[key], tmp_path.presence)
             end
 
             update_param(key, value)
@@ -59,7 +61,7 @@ module Gitlab
         end
 
         # This function calls itself recursively
-        def decorate_params_value(path_hash, value_hash)
+        def decorate_params_value(path_hash, value_hash, path_override = nil)
           unless path_hash.is_a?(Hash) && path_hash.count == 1
             raise "invalid path: #{path_hash.inspect}"
           end
@@ -72,19 +74,19 @@ module Gitlab
 
           case path_value
           when nil
-            value_hash[path_key] = open_file(value_hash.dig(path_key), '')
+            value_hash[path_key] = open_file(value_hash.dig(path_key), '', path_override)
             @open_files << value_hash[path_key]
             value_hash
           when Hash
-            decorate_params_value(path_value, value_hash[path_key])
+            decorate_params_value(path_value, value_hash[path_key], path_override)
             value_hash
           else
             raise "unexpected path value: #{path_value.inspect}"
           end
         end
 
-        def open_file(params, key)
-          ::UploadedFile.from_params(params, key, allowed_paths)
+        def open_file(params, key, path_override = nil)
+          ::UploadedFile.from_params(params, key, allowed_paths, path_override)
         end
 
         # update_params ensures that both rails controllers and rack middleware can find
diff --git a/lib/uploaded_file.rb b/lib/uploaded_file.rb
index f8d596b5d14..73029c934f4 100644
--- a/lib/uploaded_file.rb
+++ b/lib/uploaded_file.rb
@@ -42,13 +42,14 @@ class UploadedFile
     @remote_id = remote_id
   end
 
-  def self.from_params(params, field, upload_paths)
-    path = params["#{field}.path"]
+  def self.from_params(params, field, upload_paths, path_override = nil)
+    path = path_override || params["#{field}.path"]
     remote_id = params["#{field}.remote_id"]
     return if path.blank? && remote_id.blank?
 
-    file_path = nil
-    if path.present?
+    if remote_id.present? # don't use file_path if remote_id is set
+      file_path = nil
+    elsif path.present?
       file_path = File.realpath(path)
 
       paths = Array(upload_paths) << Dir.tmpdir
-- 
cgit v1.2.3