Use absolute path when unpacking command
Summary
In a5680e02 we changed the code to use only the backup file name when unpacking a backup. This was done to prevent path traversal attacks.
Steps to reproduce
BACKUP=/path/to/backup/file/../../../../backup.tar.gz rake gitlab:backup:restore
Possible fixes
Instead of using the basename
of the file, when can use the check_path_traversal! method and abort the process if there is path traversal.
Edited by Francisco Javier López (ex-Gitlab)