diff options
author | Robert Speicher <robert@gitlab.com> | 2018-01-03 18:00:36 +0000 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2018-01-16 17:04:38 -0800 |
commit | 954a44574fd7a0be232a194d503032e16b8f3094 (patch) | |
tree | bb0315a9b8ddfb1d24725d783df8bbdc279d4e5a /lib | |
parent | 1f96512ba189d1eceb01353ca41c1cb6216d32c1 (diff) | |
download | gitlab-ce-954a44574fd7a0be232a194d503032e16b8f3094.tar.gz |
Merge branch 'ac/fix-path-traversal' into 'security-10-3'
[10.3] Fix path traversal in gitlab-ci.yml cache:key
See merge request gitlab/gitlabhq!2270
(cherry picked from commit c32d0c6807dfd41d7838a35742e6d0986871b389)
df29094a Fix path traversal in gitlab-ci.yml cache:key
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/ci/config/entry/validators.rb | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/lib/gitlab/ci/config/entry/validators.rb b/lib/gitlab/ci/config/entry/validators.rb index eb606b57667..55658900628 100644 --- a/lib/gitlab/ci/config/entry/validators.rb +++ b/lib/gitlab/ci/config/entry/validators.rb @@ -64,10 +64,24 @@ module Gitlab include LegacyValidationHelpers def validate_each(record, attribute, value) - unless validate_string(value) + if validate_string(value) + validate_path(record, attribute, value) + else record.errors.add(attribute, 'should be a string or symbol') end end + + private + + def validate_path(record, attribute, value) + path = CGI.unescape(value.to_s) + + if path.include?('/') + record.errors.add(attribute, 'cannot contain the "/" character') + elsif path == '.' || path == '..' + record.errors.add(attribute, 'cannot be "." or ".."') + end + end end class RegexpValidator < ActiveModel::EachValidator |