69645389e9
The API permits path traversal characters like '../' to be passed down to the template finder. Detect these requests and cause them to fail with a 500 response code.
44 lines
1.2 KiB
Ruby
44 lines
1.2 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
# Searches and reads file present on GitLab installation directory
|
|
module Gitlab
|
|
module Template
|
|
module Finders
|
|
class GlobalTemplateFinder < BaseTemplateFinder
|
|
def initialize(base_dir, extension, categories = {})
|
|
@categories = categories
|
|
@extension = extension
|
|
super(base_dir)
|
|
end
|
|
|
|
def read(path)
|
|
File.read(path)
|
|
end
|
|
|
|
def find(key)
|
|
file_name = "#{key}#{@extension}"
|
|
|
|
# The key is untrusted input, so ensure we can't be directed outside
|
|
# of base_dir
|
|
Gitlab::Utils.check_path_traversal!(file_name)
|
|
|
|
directory = select_directory(file_name)
|
|
directory ? File.join(category_directory(directory), file_name) : nil
|
|
end
|
|
|
|
def list_files_for(dir)
|
|
dir = "#{dir}/" unless dir.end_with?('/')
|
|
Dir.glob(File.join(dir, "*#{@extension}")).select { |f| f =~ self.class.filter_regex(@extension) }
|
|
end
|
|
|
|
private
|
|
|
|
def select_directory(file_name)
|
|
@categories.keys.find do |category|
|
|
File.exist?(File.join(category_directory(category), file_name))
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|