Make allowlist case-sensitive

02fcd144 · Joern Schneeweisz · GitLab · 9c22b944 · 02fcd144 · 02fcd144
--- a/gems/gitlab-utils/lib/gitlab/utils.rb
+++ b/gems/gitlab-utils/lib/gitlab/utils.rb
@@ -11,10 +11,8 @@ module Utils
    ConcurrentRubyThreadIsUsedError = Class.new(StandardError)

    def allowlisted?(absolute_path, allowlist)
-      path = absolute_path.downcase
-
-      allowlist.map(&:downcase).any? do |allowed_path|
-        path.start_with?(allowed_path)
+      allowlist.any? do |allowed_path|
+        absolute_path.start_with?(allowed_path)
      end
    end


--- a/gems/gitlab-utils/spec/gitlab/utils_spec.rb
+++ b/gems/gitlab-utils/spec/gitlab/utils_spec.rb
@@ -21,6 +21,10 @@
    it 'returns false if path is not allowed' do
      expect(allowlisted?('/test/test', allowed_paths)).to be(false)
    end
+
+    it 'returns false if path is in different case' do
+      expect(allowlisted?('/Foo/bar', allowed_paths)).to be(false)
+    end
  end

  describe '.decode_path' do