Skip to content

Raise if path isn't a string

Dominic Couture requested to merge dcouture-path-traversal-check-type into master

What does this MR do and why?

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/371994

Kicking off a quick MR to see if specs fail. I will clean it up with specs depending on how much stuff breaks (if at all!)

Screenshots or screen recordings

N/A

How to set up and validate locally

From the rails console

[1] pry(main)> attack = [ ".." , "..", "..", "..", "..", "..", "..", "..", "..", "..", "etc", "passwd"]
=> ["..", "..", "..", "..", "..", "..", "..", "..", "..", "..", "etc", "passwd"]
[2] pry(main)> Gitlab::Utils.check_path_traversal! attack
Gitlab::Utils::PathTraversalAttackError: Invalid path
from /home/dcouture/gdk/canonical/gitlab/lib/gitlab/utils.rb:20:in `check_path_traversal!'

Previously this did not raise

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dominic Couture

Merge request reports

Loading