diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-19 01:45:44 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-19 01:45:44 +0000 |
commit | 85dc423f7090da0a52c73eb66faf22ddb20efff9 (patch) | |
tree | 9160f299afd8c80c038f08e1545be119f5e3f1e1 /lib/uploaded_file.rb | |
parent | 15c2c8c66dbe422588e5411eee7e68f1fa440bb8 (diff) | |
download | gitlab-ce-85dc423f7090da0a52c73eb66faf22ddb20efff9.tar.gz |
Add latest changes from gitlab-org/gitlab@13-4-stable-ee
Diffstat (limited to 'lib/uploaded_file.rb')
-rw-r--r-- | lib/uploaded_file.rb | 29 |
1 files changed, 27 insertions, 2 deletions
diff --git a/lib/uploaded_file.rb b/lib/uploaded_file.rb index 73029c934f4..cd5943b552e 100644 --- a/lib/uploaded_file.rb +++ b/lib/uploaded_file.rb @@ -42,6 +42,32 @@ class UploadedFile @remote_id = remote_id end + def self.from_params_without_field(params, upload_paths) + path = params['path'] + remote_id = params['remote_id'] + return if path.blank? && remote_id.blank? + + # don't use file_path if remote_id is set + if remote_id.present? + file_path = nil + elsif path.present? + file_path = File.realpath(path) + + unless self.allowed_path?(file_path, Array(upload_paths).compact) + raise InvalidPathError, "insecure path used '#{file_path}'" + end + end + + UploadedFile.new( + file_path, + filename: params['name'], + content_type: params['type'] || 'application/octet-stream', + sha256: params['sha256'], + remote_id: remote_id, + size: params['size'] + ) + end + def self.from_params(params, field, upload_paths, path_override = nil) path = path_override || params["#{field}.path"] remote_id = params["#{field}.remote_id"] @@ -52,8 +78,7 @@ class UploadedFile elsif path.present? file_path = File.realpath(path) - paths = Array(upload_paths) << Dir.tmpdir - unless self.allowed_path?(file_path, paths.compact) + unless self.allowed_path?(file_path, Array(upload_paths).compact) raise InvalidPathError, "insecure path used '#{file_path}'" end end |