Add latest changes from gitlab-org/security/gitlab@15-8-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-01-30 09:13:00 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-01-30 09:13:00 +0000
commit: e92925533667e147ff34cf1e9b8af21680c8c7d4 (patch)
tree: 1594de73938c3015737864b667e43b5e9650c9fb /app/models/concerns/sanitizable.rb
parent: c3e54801bb461b6d53c48e3194f87cb5ebf3f5ba (diff)
download: gitlab-ce-e92925533667e147ff34cf1e9b8af21680c8c7d4.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/app/models/concerns/sanitizable.rb b/app/models/concerns/sanitizable.rb
index 05756beb404..653d7a4875d 100644
--- a/app/models/concerns/sanitizable.rb
+++ b/app/models/concerns/sanitizable.rb
@@ -45,6 +45,15 @@ module Sanitizable
           unless input.to_s == CGI.unescapeHTML(input.to_s)
             record.errors.add(attr, 'cannot contain escaped HTML entities')
           end
+
+          # This method raises an exception on failure so perform this
+          # last if multiple errors should be returned.
+          Gitlab::Utils.check_path_traversal!(input.to_s)
+
+        rescue Gitlab::Utils::DoubleEncodingError
+          record.errors.add(attr, 'cannot contain escaped components')
+        rescue Gitlab::Utils::PathTraversalAttackError
+          record.errors.add(attr, "cannot contain a path traversal component")
         end
       end
     end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-01-30 09:13:00 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-01-30 09:13:00 +0000
commit	e92925533667e147ff34cf1e9b8af21680c8c7d4 (patch)
tree	1594de73938c3015737864b667e43b5e9650c9fb /app/models/concerns/sanitizable.rb
parent	c3e54801bb461b6d53c48e3194f87cb5ebf3f5ba (diff)
download	gitlab-ce-e92925533667e147ff34cf1e9b8af21680c8c7d4.tar.gz