diff --git a/ee/app/models/product_analytics/dashboard.rb b/ee/app/models/product_analytics/dashboard.rb
index bcb5d83f9010842cce166777269c50ae21e89e8b..f0fa5539cde6f54f569020302be9355be7193c3b 100644
--- a/ee/app/models/product_analytics/dashboard.rb
+++ b/ee/app/models/product_analytics/dashboard.rb
@@ -68,7 +68,7 @@ def self.local_dashboards(container, config_project, trees)
end
def self.load_yaml_dashboard_config(name, file_path)
- Gitlab::PathTraversal.check_path_traversal!(name)
+ Gitlab::PathTraversal.check_allowed_absolute_path_and_path_traversal!(name, [])
YAML.safe_load(
File.read(Rails.root.join(file_path, "#{name}.yaml"))
diff --git a/ee/spec/models/product_analytics/dashboard_spec.rb b/ee/spec/models/product_analytics/dashboard_spec.rb
index 78287c3bd722e76eac9082b29ade0bd4883f4ff7..c55c5f80757c8f2cffb635b6d5372fe212a7982b 100644
--- a/ee/spec/models/product_analytics/dashboard_spec.rb
+++ b/ee/spec/models/product_analytics/dashboard_spec.rb
@@ -232,4 +232,36 @@
end
end
end
+
+ describe '.load_yaml_dashboard_config' do
+ let(:file_path) { '.gitlab/analytics/dashboards' }
+
+ context 'when invalid path is provided' do
+ it 'raises exception for absolute path traversal attempt' do
+ invalid_file_name = '/tmp/foo'
+
+ error_message = "path #{invalid_file_name} is not allowed"
+ expect { described_class.load_yaml_dashboard_config(invalid_file_name, file_path) }
+ .to raise_error(StandardError, error_message)
+ end
+
+ it 'raises exception when path traversal is attempted' do
+ error_message = "Invalid path"
+ expect { described_class.load_yaml_dashboard_config('../foo', file_path) }
+ .to raise_error(Gitlab::PathTraversal::PathTraversalAttackError, error_message)
+ end
+ end
+
+ context 'for valid path' do
+ subject do
+ described_class.load_yaml_dashboard_config('behavior',
+ 'ee/lib/gitlab/analytics/product_analytics/dashboards')
+ end
+
+ it 'loads the dashboard config' do
+ expect(subject["title"]).to eq('Behavior')
+ expect(subject.size).to eq(3)
+ end
+ end
+ end
end