diff --git a/app/models/repository.rb b/app/models/repository.rb
index 4d350f937a624d644f7fdc162b72905756f4889b..50f347b58c8fc82384cbe9aad0360e0093ba4232 100644
--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@@ -860,7 +860,8 @@ class Repository
       source_branch: source_branch,
       source_project: source_project) do
       index = rugged.index
-      branch_commit = find_branch(branch)
+      branch_commit = source_project.repository.find_branch(
+        source_branch || branch)
 
       parents = if branch_commit
                   last_commit = branch_commit.dereferenced_target
@@ -873,6 +874,9 @@ class Repository
       actions.each do |action|
         path = Gitlab::Git::PathHelper.normalize_path(action[:file_path]).to_s
 
+        raise Gitlab::Git::Repository::InvalidBlobName.new("Invalid path") if
+          path.split('/').include?('..')
+
         case action[:action]
         when :create, :update, :move
           mode =