Extract GitLab Pages using RubyZip

RubyZip allows us to perform strong validation of expanded paths where we do extract file. We introduce the following additional checks to extract routines: 1. None of path components can be symlinked, 2. We drop privileges support for directories, 3. Symlink source needs to point within the target directory, like `public/`, 4. The symlink source needs to exist ahead of time.
author: Kamil Trzciński <ayufan@ayufan.eu> 2019-01-02 20:01:11 +0100
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-01-31 16:52:48 +0100
commit: 66744469d4f2c444c0248b84096d252db749d01c (patch)
tree: 0b71d2c71a195d61dca9b814e7fff31abe59004e /Gemfile.lock
parent: a1bf088201702ec4d36015c8f4cb635fa2ee2c5b (diff)
download: gitlab-ce-66744469d4f2c444c0248b84096d252db749d01c.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/Gemfile.lock b/Gemfile.lock
index ec6af6ffb0c..1c28176ac62 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1138,6 +1138,7 @@ DEPENDENCIES
   ruby-prof (~> 0.17.0)
   ruby-progressbar
   ruby_parser (~> 3.8)
+  rubyzip (~> 1.2.2)
   rugged (~> 0.27)
   sanitize (~> 4.6)
   sass (~> 3.5)
author	Kamil Trzciński <ayufan@ayufan.eu>	2019-01-02 20:01:11 +0100
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-31 16:52:48 +0100
commit	66744469d4f2c444c0248b84096d252db749d01c (patch)
tree	0b71d2c71a195d61dca9b814e7fff31abe59004e /Gemfile.lock
parent	a1bf088201702ec4d36015c8f4cb635fa2ee2c5b (diff)
download	gitlab-ce-66744469d4f2c444c0248b84096d252db749d01c.tar.gz