66744469d4
RubyZip allows us to perform strong validation of expanded paths where we do extract file. We introduce the following additional checks to extract routines: 1. None of path components can be symlinked, 2. We drop privileges support for directories, 3. Symlink source needs to point within the target directory, like `public/`, 4. The symlink source needs to exist ahead of time. |
||
---|---|---|
.. | ||
api/schemas | ||
authentication | ||
clusters | ||
codequality | ||
config | ||
container_registry | ||
emails | ||
encoding | ||
gitlab/ci/external_files | ||
importers/bitbucket_server | ||
junit | ||
patchfiles | ||
project_services/campfire | ||
safe_zip | ||
security-reports | ||
sentry | ||
trace | ||
aosp_manifest.xml | ||
banana_sample.gif | ||
bfg_object_map.txt | ||
big-image.png | ||
blockquote_fence_after.md | ||
blockquote_fence_before.md | ||
ci_build_artifacts.zip | ||
ci_build_artifacts_metadata.gz | ||
csv_comma.csv | ||
csv_semicolon.csv | ||
csv_tab.csv | ||
dk.png | ||
doc_sample.txt | ||
domain_blacklist.txt | ||
fuzzy.po | ||
git-cheat-sheet.pdf | ||
GoogleCodeProjectHosting.json | ||
invalid.po | ||
logo_sample.svg | ||
malicious.bundle | ||
markdown.md.erb | ||
metrics.json | ||
missing_metadata.po | ||
missing_plurals.po | ||
multiple_plurals.po | ||
newlines.po | ||
pages.tar.gz | ||
pages.zip | ||
pages.zip.meta | ||
pages_empty.tar.gz | ||
pages_empty.zip | ||
pages_empty.zip.meta | ||
pages_non_writeable.zip | ||
project_export.tar.gz | ||
rails_sample.jpg | ||
sanitized.svg | ||
ssh_host_example_key.pub | ||
symlink_export.tar.gz | ||
unescaped_chars.po | ||
unsanitized.svg | ||
valid.po | ||
video_sample.mp4 |