Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-pages.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--internal/service/deploy/deploy.go2
-rw-r--r--internal/service/deploy/deploy_test.go1
2 files changed, 2 insertions, 1 deletions
diff --git a/internal/service/deploy/deploy.go b/internal/service/deploy/deploy.go
index 936c2807..ac0e2452 100644
--- a/internal/service/deploy/deploy.go
+++ b/internal/service/deploy/deploy.go
@@ -46,7 +46,7 @@ func validatePath(requestPath string) error {
return status.Errorf(codes.InvalidArgument, "invalid path: %q", requestPath)
}
- if strings.HasPrefix(requestPath, ".") || strings.HasPrefix(requestPath, "/") {
+ if strings.IndexAny(requestPath, "./~") == 0 {
return status.Errorf(codes.InvalidArgument, "invalid path: %q", requestPath)
}
diff --git a/internal/service/deploy/deploy_test.go b/internal/service/deploy/deploy_test.go
index 967c9c47..156e333c 100644
--- a/internal/service/deploy/deploy_test.go
+++ b/internal/service/deploy/deploy_test.go
@@ -100,6 +100,7 @@ func TestDeleteSiteFail(t *testing.T) {
{desc: "traversal end", path: "foo/bar/..", code: codes.InvalidArgument},
{desc: "path starting with period", path: ".foo/bar", code: codes.InvalidArgument},
{desc: "path starting with slash", path: "/foo/bar", code: codes.InvalidArgument},
+ {desc: "path starting with tilde", path: "~/foo/bar", code: codes.InvalidArgument},
{desc: "directory does not exist", path: "does/not/exist", code: codes.FailedPrecondition},
{desc: "path is a file not a directory", path: path.Join(sitePath, "hello"), code: codes.FailedPrecondition},
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-20 19:03:38 +0300