Add FileUploader.root to allowed upload paths
What does this MR do?
Currently we check if uploaded file is under
Gitlab.config.uploads.storage_path
, the problem is that
uploads are placed in uploads
subdirectory which is symlink.
In allow_path? method we check real (expanded) paths, which causes
that Gitlab.config.uploads.storage_path
is expaned into symlink
path and there is a mismatch with upload file path.
By adding Gitlab.config.uploads.storage_path/uploads
into allowed
paths, this path is expaned during path check.
Gitlab.config.uploads.storage_path
is left there intentionally in case
some uploader wouldn't use uploads
subdir.
No test is included for this change (this is just about including symlink dir), there is not much logic to test in this.
Are there points in the code the reviewer needs to double check?
Why was this MR needed?
Screenshots (if relevant)
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added -
Tests added for this feature/bug - Conform by the code review guidelines
-
Has been reviewed by a UX Designer -
Has been reviewed by a Frontend maintainer -
Has been reviewed by a Backend maintainer -
Has been reviewed by a Database specialist
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Conform by the database guides -
If you have multiple commits, please combine them into a few logically organized commits by squashing them -
Internationalization required/considered -
End-to-end tests pass ( package-and-qa
manual pipeline job)
What are the relevant issue numbers?
Closes gitlab-qa#291 (closed)
Edited by Kamil Trzciński (Back 2025-01-01)