Prevent a path traversal attack on global file templates

The API permits path traversal characters like '../' to be passed down to the template finder. Detect these requests and cause them to fail with a 500 response code.
author: Nick Thomas <nick@gitlab.com> 2018-12-04 15:59:01 +0000
committer: Nick Thomas <nick@gitlab.com> 2018-12-05 14:12:35 +0000
commit: 69645389e925a106f00fed555fde54c38f26816a (patch)
tree: baf7b8dd019934e8bf9d113566b4497d64c61437 /lib/api
parent: 87186cbc922465875e299ed761ed4d6143ae501a (diff)
download: gitlab-ce-69645389e925a106f00fed555fde54c38f26816a.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/api/templates.rb b/lib/api/templates.rb
index 8dab19d50c2..51f357d9477 100644
--- a/lib/api/templates.rb
+++ b/lib/api/templates.rb
@@ -82,7 +82,7 @@ module API
       params do
         requires :name, type: String, desc: 'The name of the template'
       end
-      get "templates/#{template_type}/:name" do
+      get "templates/#{template_type}/:name", requirements: { name: /[\w\.-]+/ } do
         finder = TemplateFinder.build(template_type, nil, name: declared(params)[:name])
         new_template = finder.execute
author	Nick Thomas <nick@gitlab.com>	2018-12-04 15:59:01 +0000
committer	Nick Thomas <nick@gitlab.com>	2018-12-05 14:12:35 +0000
commit	69645389e925a106f00fed555fde54c38f26816a (patch)
tree	baf7b8dd019934e8bf9d113566b4497d64c61437 /lib/api
parent	87186cbc922465875e299ed761ed4d6143ae501a (diff)
download	gitlab-ce-69645389e925a106f00fed555fde54c38f26816a.tar.gz