From ae5b935b2888f7721e424cf41e2963e1483d8bb5 Mon Sep 17 00:00:00 2001
From: Lin Jen-Shin <godfat@godfat.org>
Date: Thu, 8 Dec 2016 14:16:06 +0800
Subject: [PATCH] find the commit properly and replicate gitlab_git

by checking filename as well
---
 app/models/repository.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/models/repository.rb b/app/models/repository.rb
index 4d350f937a6..50f347b58c8 100644
--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@@ -860,7 +860,8 @@ class Repository
       source_branch: source_branch,
       source_project: source_project) do
       index = rugged.index
-      branch_commit = find_branch(branch)
+      branch_commit = source_project.repository.find_branch(
+        source_branch || branch)
 
       parents = if branch_commit
                   last_commit = branch_commit.dereferenced_target
@@ -873,6 +874,9 @@ class Repository
       actions.each do |action|
         path = Gitlab::Git::PathHelper.normalize_path(action[:file_path]).to_s
 
+        raise Gitlab::Git::Repository::InvalidBlobName.new("Invalid path") if
+          path.split('/').include?('..')
+
         case action[:action]
         when :create, :update, :move
           mode =
-- 
GitLab