gitlab-org--gitlab-foss/lib/gitlab/template/finders/global_template_finder.rb
Nick Thomas 69645389e9
Prevent a path traversal attack on global file templates
The API permits path traversal characters like '../' to be passed down
to the template finder. Detect these requests and cause them to fail
with a 500 response code.
2018-12-05 14:12:35 +00:00

44 lines
1.2 KiB
Ruby

# frozen_string_literal: true
# Searches and reads file present on GitLab installation directory
module Gitlab
module Template
module Finders
class GlobalTemplateFinder < BaseTemplateFinder
def initialize(base_dir, extension, categories = {})
@categories = categories
@extension = extension
super(base_dir)
end
def read(path)
File.read(path)
end
def find(key)
file_name = "#{key}#{@extension}"
# The key is untrusted input, so ensure we can't be directed outside
# of base_dir
Gitlab::Utils.check_path_traversal!(file_name)
directory = select_directory(file_name)
directory ? File.join(category_directory(directory), file_name) : nil
end
def list_files_for(dir)
dir = "#{dir}/" unless dir.end_with?('/')
Dir.glob(File.join(dir, "*#{@extension}")).select { |f| f =~ self.class.filter_regex(@extension) }
end
private
def select_directory(file_name)
@categories.keys.find do |category|
File.exist?(File.join(category_directory(category), file_name))
end
end
end
end
end
end