summaryrefslogtreecommitdiff
path: root/app/models/concerns/sanitizable.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/models/concerns/sanitizable.rb')
-rw-r--r--app/models/concerns/sanitizable.rb9
1 files changed, 9 insertions, 0 deletions
diff --git a/app/models/concerns/sanitizable.rb b/app/models/concerns/sanitizable.rb
index 05756beb404..653d7a4875d 100644
--- a/app/models/concerns/sanitizable.rb
+++ b/app/models/concerns/sanitizable.rb
@@ -45,6 +45,15 @@ module Sanitizable
unless input.to_s == CGI.unescapeHTML(input.to_s)
record.errors.add(attr, 'cannot contain escaped HTML entities')
end
+
+ # This method raises an exception on failure so perform this
+ # last if multiple errors should be returned.
+ Gitlab::Utils.check_path_traversal!(input.to_s)
+
+ rescue Gitlab::Utils::DoubleEncodingError
+ record.errors.add(attr, 'cannot contain escaped components')
+ rescue Gitlab::Utils::PathTraversalAttackError
+ record.errors.add(attr, "cannot contain a path traversal component")
end
end
end
View Lorry Controller Status