Merge branch 'path-disclosure-proj-import-export' into 'security'

Fix for path disclosure in project import/export

See merge request !2080

app/helpers/projects_helper.rb

@@ -407,7 +407,10 @@ module ProjectsHelper
   def sanitize_repo_path(project, message)
     return '' unless message.present?
 
-    message.strip.gsub(project.repository_storage_path.chomp('/'), "[REPOS PATH]")
+    exports_path = File.join(Settings.shared['path'], 'tmp/project_exports')
+    filtered_message = message.strip.gsub(exports_path, "[REPO EXPORT PATH]")
+
+    filtered_message.gsub(project.repository_storage_path.chomp('/'), "[REPOS PATH]")
   end
 
   def project_feature_options

changelogs/unreleased/file-import-export-path-disclosure.yml

+---
+title: Fix path disclosure in project import/export
+merge_request: 
+author:
+

spec/helpers/projects_helper_spec.rb

@@ -167,6 +167,7 @@ describe ProjectsHelper do
 
     before do
       allow(project).to receive(:repository_storage_path).and_return('/base/repo/path')
+      allow(Settings.shared).to receive(:[]).with('path').and_return('/base/repo/export/path')
     end
 
     it 'removes the repo path' do
@@ -175,6 +176,13 @@ describe ProjectsHelper do
 
       expect(sanitize_repo_path(project, import_error)).to eq('Could not clone [REPOS PATH]/namespace/test.git')
     end
+
+    it 'removes the temporary repo path used for uploads/exports' do
+      repo = '/base/repo/export/path/tmp/project_exports/uploads/test.tar.gz'
+      import_error = "Unable to decompress #{repo}\n"
+
+      expect(sanitize_repo_path(project, import_error)).to eq('Unable to decompress [REPO EXPORT PATH]/uploads/test.tar.gz')
+    end
   end
 
   describe '#last_push_event' do