Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-25 18:08:06 +08:00
Code Packages Activity Actions
discourse/spec/lib/backup_restore
History
Exact
Roman Rizzi b348c0d0ce SECURITY: block cross-site backup traversal in multisite local storage 
Harden backup download/delete/restore path handling to prevent path traversal across site backup directories in multisite setups using local backup storage. Tighten backup route matching, validate backup IDs in admin backup member actions, and enforce canonical-path containment in LocalBackupStore so filenames cannot escape the current site’s backup directory. Add regression specs for route matching, controller rejection of traversal IDs, and local store traversal protection.

CVE: https://github.com/discourse/discourse/security/advisories/GHSA-5j6v-4x6g-9pg5
2026-05-19 00:26:04 +01:00
..
backup_file_handler_multisite_spec.rb DEV: Use freeze_time_safe in more places (#25949) 2024-03-01 10:07:35 +10:00
backup_file_handler_spec.rb FIX: Handle restore URLs ending with query params (#33384) 2025-07-07 18:43:31 +03:00
creator_spec.rb DEV: Rename Backuper to Creator 2026-01-22 18:46:02 +00:00
database_restorer_multisite_spec.rb DEV: Use freeze_time_safe in more places (#25949) 2024-03-01 10:07:35 +10:00
database_restorer_spec.rb FIX: Remove unsupported SQL from DB dump during restore 2025-11-03 11:15:00 +01:00
local_backup_store_spec.rb SECURITY: block cross-site backup traversal in multisite local storage 2026-05-19 00:26:04 +01:00
meta_data_handler_spec.rb DEV: Use freeze_time_safe in more places (#25949) 2024-03-01 10:07:35 +10:00
s3_backup_store_spec.rb DEV: Bump aws-sdk-core in prep for aws-sdk-mediaconvert (#33250) 2025-06-20 16:41:01 -06:00
shared_context_for_backup_restore.rb FEATURE: Add utilities for importing and exporting backups (#32992) 2025-06-11 15:44:10 +03:00
shared_examples_for_backup_store.rb FIX: Use a valid value for disabling backups using backup_frequency (#34245) 2025-08-12 13:19:56 +08:00
system_interface_multisite_spec.rb DEV: Use freeze_time_safe in more places (#25949) 2024-03-01 10:07:35 +10:00
system_interface_spec.rb DEV: Upgrade Sidekiq to v7.3.9 2025-03-10 15:02:48 +01:00
uploads_restorer_spec.rb DEV: Use freeze_time_safe in more places (#25949) 2024-03-01 10:07:35 +10:00