diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-30 09:13:00 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-30 09:13:00 +0000 |
commit | e92925533667e147ff34cf1e9b8af21680c8c7d4 (patch) | |
tree | 1594de73938c3015737864b667e43b5e9650c9fb /app/models/concerns/sanitizable.rb | |
parent | c3e54801bb461b6d53c48e3194f87cb5ebf3f5ba (diff) | |
download | gitlab-ce-e92925533667e147ff34cf1e9b8af21680c8c7d4.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-8-stable-ee
Diffstat (limited to 'app/models/concerns/sanitizable.rb')
-rw-r--r-- | app/models/concerns/sanitizable.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/app/models/concerns/sanitizable.rb b/app/models/concerns/sanitizable.rb index 05756beb404..653d7a4875d 100644 --- a/app/models/concerns/sanitizable.rb +++ b/app/models/concerns/sanitizable.rb @@ -45,6 +45,15 @@ module Sanitizable unless input.to_s == CGI.unescapeHTML(input.to_s) record.errors.add(attr, 'cannot contain escaped HTML entities') end + + # This method raises an exception on failure so perform this + # last if multiple errors should be returned. + Gitlab::Utils.check_path_traversal!(input.to_s) + + rescue Gitlab::Utils::DoubleEncodingError + record.errors.add(attr, 'cannot contain escaped components') + rescue Gitlab::Utils::PathTraversalAttackError + record.errors.add(attr, "cannot contain a path traversal component") end end end |