Modify regex for Releases API filepath
The following discussions from !25533 (merged) should be addressed:
-
@splattael started a discussion: (+2 comments) We are exposing
filepath_url
but I couldn't find the code where we're exposingfilepath
🔍 🤔 -
@splattael started a discussion: (+2 comments) - Prefer
%r{}
if the regexp contains slashes so we don't have to escape them - Add
(?: ... )
if we don't need to capture groups which is here the case I believe
FILEPATH_REGEX = %r{\A/(?:[\-\.\w]+/?)*[\da-zA-Z]+\z}.freeze
- Do we want to prevent directory traversal by disallowing
/../../../../../etc/passwd
?🤔 - Do we allow unicode in file path? If not, why not?
- Do we have access to these filepath? If so, could we just check its existence instead of checking via regex?
🤔
BTW, did this change slip from the other MR !25512 (diffs)?
🤔 - Prefer
Edited by Vladimir Shushlin