Merge branch 'security-path-traversal-master' into 'master'

UploadRewriter Path Traversal Security Fix See merge request gitlab-org/security/gitlab!365

Merge branch 'security-path-traversal-master' into 'master'
UploadRewriter Path Traversal Security Fix See merge request gitlab-org/security/gitlab!365
5153fd8d · GitLab Release Tools Bot · 0eef93f9 · 7cb0e02a · 5153fd8d · 5153fd8d
Commit 5153fd8d authored Mar 24, 2020 by GitLab Release Tools Bot
3 changed files
--- a/changelogs/unreleased/security-path-traversal-master.yml
+++ b/changelogs/unreleased/security-path-traversal-master.yml
+---
+title: Fix UploadRewriter Path Traversal vulnerability
+merge_request:
+author:
+type: security
--- a/lib/gitlab/gfm/uploads_rewriter.rb
+++ b/lib/gitlab/gfm/uploads_rewriter.rb
@@ -22,6 +22,8 @@ module Gitlab
        return @text unless needs_rewrite?
        @text.gsub(@pattern) do |markdown|
+          Gitlab::Utils.check_path_traversal!($~[:file])
          file = find_file(@source_project, $~[:secret], $~[:file])
          break markdown unless file.try(:exists?)

--- a/spec/lib/gitlab/gfm/uploads_rewriter_spec.rb
+++ b/spec/lib/gitlab/gfm/uploads_rewriter_spec.rb
@@ -68,6 +68,16 @@ describe Gitlab::Gfm::UploadsRewriter do
      expect(moved_text.scan(/\A\[.*?\]/).count).to eq(1)
    end
+    context 'path traversal in file name' do
+      let(:text) do
+        "![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)"
+      end
+      it 'throw an error' do
+        expect { rewriter.rewrite(new_project) }.to raise_error(an_instance_of(StandardError).and having_attributes(message: "Invalid path"))
+      end
+    end
    context "file are stored locally" do
      include_examples "files are accessible"
    end