From a12d25d8a5e95ef868370e7c09e777237047366b Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Tue, 23 Oct 2018 14:59:00 -0700
Subject: Validate Wiki attachments are valid temporary files

A malicious attacker could craft a request to read arbitrary files on
the system. This change adds a Grape validation to ensure that the
tempfile parameter delivered by the Rack multipart uploader is a
Tempfile type to prevent users from being able to specify arbitrary
filenames.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/53072
---
 lib/api/wikis.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/api/wikis.rb')

diff --git a/lib/api/wikis.rb b/lib/api/wikis.rb
index 6e1d4eb335f..24746f4efc6 100644
--- a/lib/api/wikis.rb
+++ b/lib/api/wikis.rb
@@ -6,7 +6,7 @@ module API
       def commit_params(attrs)
         {
           file_name: attrs[:file][:filename],
-          file_content: File.read(attrs[:file][:tempfile]),
+          file_content: attrs[:file][:tempfile].read,
           branch_name: attrs[:branch]
         }
       end
@@ -100,7 +100,7 @@ module API
         success Entities::WikiAttachment
       end
       params do
-        requires :file, type: File, desc: 'The attachment file to be uploaded'
+        requires :file, type: ::API::Validations::Types::SafeFile, desc: 'The attachment file to be uploaded'
         optional :branch, type: String, desc: 'The name of the branch'
       end
       post ":id/wikis/attachments", requirements: API::PROJECT_ENDPOINT_REQUIREMENTS do
-- 
cgit v1.2.1