Add latest changes from gitlab-org/security/gitlab@12-8-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-03-24 13:36:59 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-03-24 13:36:59 +0000
commit: f39b4225cba29695319bc51b5c04bf06d4cb409a (patch)
tree: 8302d2c7405cfe78b8b34bf63ee46cb3aae3ce47 /lib/gitlab/gfm/uploads_rewriter.rb
parent: 2774ddc308f96f49a0f26871ff544681229f4eee (diff)
download: gitlab-ce-f39b4225cba29695319bc51b5c04bf06d4cb409a.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/gitlab/gfm/uploads_rewriter.rb b/lib/gitlab/gfm/uploads_rewriter.rb
index 6b52d6e88e5..23af0a9bb18 100644
--- a/lib/gitlab/gfm/uploads_rewriter.rb
+++ b/lib/gitlab/gfm/uploads_rewriter.rb
@@ -22,6 +22,8 @@ module Gitlab
         return @text unless needs_rewrite?
 
         @text.gsub(@pattern) do |markdown|
+          Gitlab::Utils.check_path_traversal!($~[:file])
+
           file = find_file(@source_project, $~[:secret], $~[:file])
           break markdown unless file.try(:exists?)
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-03-24 13:36:59 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-03-24 13:36:59 +0000
commit	f39b4225cba29695319bc51b5c04bf06d4cb409a (patch)
tree	8302d2c7405cfe78b8b34bf63ee46cb3aae3ce47 /lib/gitlab/gfm/uploads_rewriter.rb
parent	2774ddc308f96f49a0f26871ff544681229f4eee (diff)
download	gitlab-ce-f39b4225cba29695319bc51b5c04bf06d4cb409a.tar.gz