Check snippet attached file to be moved is within designated directory

Previously one could move any temp/ sub folder around.
author: Mark Chao <mchao@gitlab.com> 2019-02-13 16:24:26 +0800
committer: Mark Chao <mchao@gitlab.com> 2019-02-21 16:44:44 +0800
commit: d72b1cd0b5b01d6fec6b93d9dfe84f8302083072 (patch)
tree: 8b37b49971929fb56b1f72554f227f8be6a8cb0c /app/uploaders
parent: a9291f15ea10e3cfc94282ffb4e0969e9d4175eb (diff)
download: gitlab-ce-d72b1cd0b5b01d6fec6b93d9dfe84f8302083072.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/app/uploaders/file_mover.rb b/app/uploaders/file_mover.rb
index a7f8615e9ba..236b7ed2b3d 100644
--- a/app/uploaders/file_mover.rb
+++ b/app/uploaders/file_mover.rb
@@ -11,6 +11,8 @@ class FileMover
   end
 
   def execute
+    return unless valid?
+
     move
 
     if update_markdown
@@ -21,6 +23,12 @@ class FileMover
 
   private
 
+  def valid?
+    Pathname.new(temp_file_path).realpath.to_path.start_with?(
+      (Pathname(temp_file_uploader.root) + temp_file_uploader.base_dir).to_path
+    )
+  end
+
   def move
     FileUtils.mkdir_p(File.dirname(file_path))
     FileUtils.move(temp_file_path, file_path)
author	Mark Chao <mchao@gitlab.com>	2019-02-13 16:24:26 +0800
committer	Mark Chao <mchao@gitlab.com>	2019-02-21 16:44:44 +0800
commit	d72b1cd0b5b01d6fec6b93d9dfe84f8302083072 (patch)
tree	8b37b49971929fb56b1f72554f227f8be6a8cb0c /app/uploaders
parent	a9291f15ea10e3cfc94282ffb4e0969e9d4175eb (diff)
download	gitlab-ce-d72b1cd0b5b01d6fec6b93d9dfe84f8302083072.tar.gz