diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-20 15:10:58 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-20 15:10:58 +0000 |
commit | 049d16d168fdee408b78f5f38619c092fd3b2265 (patch) | |
tree | 22d1db5ab4fae0967a4da4b1a6b097ef9e5d7aa2 /lib/gitlab/utils.rb | |
parent | bf18f3295b550c564086efd0a32d9a25435ce216 (diff) | |
download | gitlab-ce-049d16d168fdee408b78f5f38619c092fd3b2265.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab/utils.rb')
-rw-r--r-- | lib/gitlab/utils.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/gitlab/utils.rb b/lib/gitlab/utils.rb index a67a0758257..761cdf25765 100644 --- a/lib/gitlab/utils.rb +++ b/lib/gitlab/utils.rb @@ -14,7 +14,10 @@ module Gitlab # Also see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/24223#note_284122580 # It also checks for ALT_SEPARATOR aka '\' (forward slash) def check_path_traversal!(path) - return unless path.is_a?(String) + return unless path + + path = path.to_s if path.is_a?(Gitlab::HashedPath) + raise PathTraversalAttackError, 'Invalid path' unless path.is_a?(String) path = decode_path(path) path_regex = %r{(\A(\.{1,2})\z|\A\.\.[/\\]|[/\\]\.\.\z|[/\\]\.\.[/\\]|\n)} |