From edd05fc48c748ba0945652c8c83e7617ccc029fc Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 10 Apr 2015 18:16:46 +0200
Subject: Fix directory traversal vulnerability around help pages.

---
 app/controllers/help_controller.rb | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'app/controllers/help_controller.rb')

diff --git a/app/controllers/help_controller.rb b/app/controllers/help_controller.rb
index fbd9e67e6df..0010caad773 100644
--- a/app/controllers/help_controller.rb
+++ b/app/controllers/help_controller.rb
@@ -3,7 +3,7 @@ class HelpController < ApplicationController
   end
 
   def show
-    @filepath = params[:filepath]
+    @filepath = clean_path_info(params[:filepath])
     @format = params[:format]
 
     respond_to do |format|
@@ -36,4 +36,22 @@ class HelpController < ApplicationController
 
   def ui
   end
+
+  # Taken from ActionDispatch::FileHandler
+  PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact)
+
+  def clean_path_info(path_info)
+    parts = path_info.split PATH_SEPS
+
+    clean = []
+
+    parts.each do |part|
+      next if part.empty? || part == '.'
+      part == '..' ? clean.pop : clean << part
+    end
+
+    clean.unshift '/' if parts.empty? || parts.first.empty?
+
+    ::File.join(*clean)
+  end
 end
-- 
cgit v1.2.1