Merge branch 'joern-add-path-traversal-check' into 'master'

Add missing path traversal check See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149717 Merged-by: Terri Chu <tchu@gitlab.com> Approved-by: Terri Chu <tchu@gitlab.com> Co-authored-by: Tiger <twatson@gitlab.com> Co-authored-by: Joern Schneeweisz <jschneeweisz@gitlab.com>

Merge branch 'joern-add-path-traversal-check' into 'master'
4bed82d5 · Terri Chu · GitLab · ef239c29 · b6c48366 · 4bed82d5
--- a/app/helpers/in_product_marketing_helper.rb
+++ b/app/helpers/in_product_marketing_helper.rb
@@ -2,7 +2,10 @@

 module InProductMarketingHelper
  def inline_image_link(image, options)
-    attachments.inline[image] = File.read(Rails.root.join("app/assets/images", image))
+    asset_path = Rails.root.join("app/assets/images").to_s
+    image_path = File.join(asset_path, image)
+    Gitlab::PathTraversal.check_allowed_absolute_path_and_path_traversal!(image_path, [asset_path])
+    attachments.inline[image] = File.read(image_path)
    image_tag attachments[image].url, **options
  end


--- a/spec/helpers/in_product_marketing_helper_spec.rb
+++ b/spec/helpers/in_product_marketing_helper_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe InProductMarketingHelper, feature_category: :activation do
+  describe '#inline_image_link' do
+    let(:image) { 'gitlab_logo.png' }
+
+    before do
+      attachments = instance_double(Mail::AttachmentsList).as_null_object
+
+      allow(helper).to receive(:attachments).and_return(attachments)
+      allow(attachments).to receive(:[]).with(image).and_return(Mail::Part.new)
+    end
+
+    it 'checks for path traversal' do
+      asset_path = Rails.root.join("app/assets/images").to_s
+      image_path = File.join(asset_path, image)
+
+      expect(Gitlab::PathTraversal).to receive(:check_allowed_absolute_path_and_path_traversal!)
+        .with(image_path, [asset_path])
+
+      helper.inline_image_link(image, {})
+    end
+  end
+end