RubyZip needs upgrading to >=1.3.0 (zip bomb vuln)

https://github.com/rubyzip/rubyzip/pull/403

GitLab is currently on v1.2.2

Assigned CVE-2019-16892 To extract zip files safely:

If you upgrade to rubyzip >= 1.3.0 and < 2.0.0, you must:

be sure to check entry.size as illustrated in the README before you call entry.extract, and set Zip.validate_entry_sizes = true to enable the validation added in this PR. If you upgrade to rubyzip >= 2.0.0, you must:

be sure to check entry.size as illustrated in the README before you call entry.extract. (there is no step 2) If you are using a recent (not EOL) version of ruby, the upgrade to 2.0.0 should be smooth. See the Changelog for details.

Edited Jan 28, 2020 by GitLab SecurityBot