debian-mirror-gitlab/debian/patches/cve-2017-0918.patch

--- a/lib/gitlab/ci/config/node/validators.rb
+++ b/lib/gitlab/ci/config/node/validators.rb
@@ -48,10 +48,24 @@
             include LegacyValidationHelpers
 
             def validate_each(record, attribute, value)
-              unless validate_string(value)
+              if validate_string(value)
+                validate_path(record, attribute, value)
+              else
                 record.errors.add(attribute, 'should be a string or symbol')
               end
             end
+
+            private
+
+            def validate_path(record, attribute, value)
+              path = CGI.unescape(value.to_s)
+
+              if path.include?('/')
+                record.errors.add(attribute, 'cannot contain the "/" character')
+              elsif path == '.' || path == '..'
+                record.errors.add(attribute, 'cannot be "." or ".."')
+              end
+            end
           end
 
           class TypeValidator < ActiveModel::EachValidator
Multiple security fixes 2018-03-11 20:27:47 +05:30			`--- a/lib/gitlab/ci/config/node/validators.rb`
			`+++ b/lib/gitlab/ci/config/node/validators.rb`
			`@@ -48,10 +48,24 @@`
			`include LegacyValidationHelpers`

			`def validate_each(record, attribute, value)`
			`- unless validate_string(value)`
			`+ if validate_string(value)`
			`+ validate_path(record, attribute, value)`
			`+ else`
			`record.errors.add(attribute, 'should be a string or symbol')`
			`end`
			`end`
			`+`
			`+ private`
			`+`
			`+ def validate_path(record, attribute, value)`
			`+ path = CGI.unescape(value.to_s)`
			`+`
			`+ if path.include?('/')`
			`+ record.errors.add(attribute, 'cannot contain the "/" character')`
			`+ elsif path == '.' \|\| path == '..'`
			`+ record.errors.add(attribute, 'cannot be "." or ".."')`
			`+ end`
			`+ end`
			`end`

			`class TypeValidator < ActiveModel::EachValidator`