Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-10-20 15:10:58 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-10-20 15:10:58 +0000
commit: 049d16d168fdee408b78f5f38619c092fd3b2265 (patch)
tree: 22d1db5ab4fae0967a4da4b1a6b097ef9e5d7aa2 /lib/gitlab/utils.rb
parent: bf18f3295b550c564086efd0a32d9a25435ce216 (diff)
download: gitlab-ce-049d16d168fdee408b78f5f38619c092fd3b2265.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/gitlab/utils.rb b/lib/gitlab/utils.rb
index a67a0758257..761cdf25765 100644
--- a/lib/gitlab/utils.rb
+++ b/lib/gitlab/utils.rb
@@ -14,7 +14,10 @@ module Gitlab
     # Also see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/24223#note_284122580
     # It also checks for ALT_SEPARATOR aka '\' (forward slash)
     def check_path_traversal!(path)
-      return unless path.is_a?(String)
+      return unless path
+
+      path = path.to_s if path.is_a?(Gitlab::HashedPath)
+      raise PathTraversalAttackError, 'Invalid path' unless path.is_a?(String)
 
       path = decode_path(path)
       path_regex = %r{(\A(\.{1,2})\z|\A\.\.[/\\]|[/\\]\.\.\z|[/\\]\.\.[/\\]|\n)}
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-10-20 15:10:58 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-10-20 15:10:58 +0000
commit	049d16d168fdee408b78f5f38619c092fd3b2265 (patch)
tree	22d1db5ab4fae0967a4da4b1a6b097ef9e5d7aa2 /lib/gitlab/utils.rb
parent	bf18f3295b550c564086efd0a32d9a25435ce216 (diff)
download	gitlab-ce-049d16d168fdee408b78f5f38619c092fd3b2265.tar.gz