Extract GitLab Pages using RubyZip

RubyZip allows us to perform strong validation of expanded paths where we do extract file. We introduce the following additional checks to extract routines: 1. None of path components can be symlinked, 2. We drop privileges support for directories, 3. Symlink source needs to point within the target directory, like `public/`, 4. The symlink source needs to exist ahead of time.
author: Kamil Trzciński <ayufan@ayufan.eu> 2019-01-02 20:01:11 +0100
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-01-31 16:52:48 +0100
commit: 66744469d4f2c444c0248b84096d252db749d01c (patch)
tree: 0b71d2c71a195d61dca9b814e7fff31abe59004e /Gemfile
parent: a1bf088201702ec4d36015c8f4cb635fa2ee2c5b (diff)
download: gitlab-ce-66744469d4f2c444c0248b84096d252db749d01c.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/Gemfile b/Gemfile
index 943b0260dcb..40950fbfb43 100644
--- a/Gemfile
+++ b/Gemfile
@@ -57,6 +57,7 @@ gem 'u2f', '~> 0.2.1'
 
 # GitLab Pages
 gem 'validates_hostname', '~> 1.0.6'
+gem 'rubyzip', '~> 1.2.2', require: false
 
 # Browser detection
 gem 'browser', '~> 2.5'
author	Kamil Trzciński <ayufan@ayufan.eu>	2019-01-02 20:01:11 +0100
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-31 16:52:48 +0100
commit	66744469d4f2c444c0248b84096d252db749d01c (patch)
tree	0b71d2c71a195d61dca9b814e7fff31abe59004e /Gemfile
parent	a1bf088201702ec4d36015c8f4cb635fa2ee2c5b (diff)
download	gitlab-ce-66744469d4f2c444c0248b84096d252db749d01c.tar.gz