Fix directory traversal vulnerability around uploads routes.

CHANGELOG

@@ -1,6 +1,8 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.10.0 (unreleased)
+  - Fix directory traversal vulnerability around uploads routes.
+  - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
   - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
   - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
   - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)

config/routes.rb

@@ -91,18 +91,18 @@ Gitlab::Application.routes.draw do
     # Note attachments and User/Group/Project avatars
     get ":model/:mounted_as/:id/:filename",
         to:           "uploads#show",
-        constraints:  { model: /note|user|group|project/, mounted_as: /avatar|attachment/, filename: /.+/ }
+        constraints:  { model: /note|user|group|project/, mounted_as: /avatar|attachment/, filename: /[^\/]+/ }
 
     # Project markdown uploads
     get ":namespace_id/:project_id/:secret/:filename",
       to:           "projects/uploads#show",
-      constraints:  { namespace_id: /[a-zA-Z.0-9_\-]+/, project_id: /[a-zA-Z.0-9_\-]+/, filename: /.+/ }
+      constraints:  { namespace_id: /[a-zA-Z.0-9_\-]+/, project_id: /[a-zA-Z.0-9_\-]+/, filename: /[^\/]+/ }
   end
 
   # Redirect old note attachments path to new uploads path.
   get "files/note/:id/:filename",
     to:           redirect("uploads/note/attachment/%{id}/%{filename}"),
-    constraints:  { filename: /.+/ }
+    constraints:  { filename: /[^\/]+/ }
 
   #
   # Explore area
@@ -485,7 +485,7 @@ Gitlab::Application.routes.draw do
 
         resources :uploads, only: [:create] do
           collection do
-            get ":secret/:filename", action: :show, as: :show, constraints: { filename: /.+/ }
+            get ":secret/:filename", action: :show, as: :show, constraints: { filename: /[^\/]+/ }
           end
         end
       end