summaryrefslogtreecommitdiff
path: root/lib/api/validations/validators/file_path.rb
diff options
context:
space:
mode:
Diffstat (limited to 'lib/api/validations/validators/file_path.rb')
-rw-r--r--lib/api/validations/validators/file_path.rb8
1 files changed, 5 insertions, 3 deletions
diff --git a/lib/api/validations/validators/file_path.rb b/lib/api/validations/validators/file_path.rb
index fee71373170..8a815c3b2b8 100644
--- a/lib/api/validations/validators/file_path.rb
+++ b/lib/api/validations/validators/file_path.rb
@@ -5,10 +5,12 @@ module API
module Validators
class FilePath < Grape::Validations::Base
def validate_param!(attr_name, params)
+ options = @option.is_a?(Hash) ? @option : {}
+ path_allowlist = options.fetch(:allowlist, [])
path = params[attr_name]
-
- Gitlab::Utils.check_path_traversal!(path)
- rescue ::Gitlab::Utils::PathTraversalAttackError
+ path = Gitlab::Utils.check_path_traversal!(path)
+ Gitlab::Utils.check_allowed_absolute_path!(path, path_allowlist)
+ rescue
raise Grape::Exceptions::Validation, params: [@scope.full_name(attr_name)],
message: "should be a valid file path"
end
View Lorry Controller Status