Adds absolute path check for dashboard config (!141593) · Merge requests · GitLab.org / GitLab

Surabhi Suman requested to merge 433134-path-traversal-check into master Jan 11, 2024

What does this MR do and why?

It adds an absolute path check when loading dashboard configuration file to avoid path traversal.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Screenshots or screen recordings

------------ Before ------------

------------ After ------------

How to set up and validate locally

In rails console try the below code:

DASHBOARD_ROOT_LOCATION = ".gitlab/analytics/dashboards"
ProductAnalytics::Dashboard.load_yaml_dashboard_config("/tmp/web-app/foo", DASHBOARD_ROOT_LOCATION)

Related to #433134

Edited Jan 11, 2024 by Surabhi Suman

Adds absolute path check for dashboard config

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports