Merge branch '433134-path-traversal-check' into 'master'

Adds absolute path check for dashboard config See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141593 Merged-by: Jessie Young <jessieyoung@gitlab.com> Approved-by: Max Woolf <mwoolf@gitlab.com> Approved-by: Jessie Young <jessieyoung@gitlab.com> Co-authored-by: Surabhi Suman <ssuman@gitlab.com>

Merge branch '433134-path-traversal-check' into 'master'
fc6e54e5 · Jessie Young · GitLab · 26c500fe · 3b0394ca · fc6e54e5
--- a/ee/app/models/product_analytics/dashboard.rb
+++ b/ee/app/models/product_analytics/dashboard.rb
@@ -68,7 +68,7 @@ def self.local_dashboards(container, config_project, trees)
    end

    def self.load_yaml_dashboard_config(name, file_path)
-      Gitlab::PathTraversal.check_path_traversal!(name)
+      Gitlab::PathTraversal.check_allowed_absolute_path_and_path_traversal!(name, [])

      YAML.safe_load(
        File.read(Rails.root.join(file_path, "#{name}.yaml"))

--- a/ee/spec/models/product_analytics/dashboard_spec.rb
+++ b/ee/spec/models/product_analytics/dashboard_spec.rb
@@ -232,4 +232,36 @@
      end
    end
  end
+
+  describe '.load_yaml_dashboard_config' do
+    let(:file_path) { '.gitlab/analytics/dashboards' }
+
+    context 'when invalid path is provided' do
+      it 'raises exception for absolute path traversal attempt' do
+        invalid_file_name = '/tmp/foo'
+
+        error_message = "path #{invalid_file_name} is not allowed"
+        expect { described_class.load_yaml_dashboard_config(invalid_file_name, file_path) }
+          .to raise_error(StandardError, error_message)
+      end
+
+      it 'raises exception when path traversal is attempted' do
+        error_message = "Invalid path"
+        expect { described_class.load_yaml_dashboard_config('../foo', file_path) }
+          .to raise_error(Gitlab::PathTraversal::PathTraversalAttackError, error_message)
+      end
+    end
+
+    context 'for valid path' do
+      subject do
+        described_class.load_yaml_dashboard_config('behavior',
+          'ee/lib/gitlab/analytics/product_analytics/dashboards')
+      end
+
+      it 'loads the dashboard config' do
+        expect(subject["title"]).to eq('Behavior')
+        expect(subject.size).to eq(3)
+      end
+    end
+  end
 end