GitLab

The webapps can produce any type of files in their output, especially symlinks.

To prevent possible infoleak attack, the django UI and nginx frontend (in the django container) must not follow symlinks when reading an output file from a job.

Ideally we should prevent any special file from landing in the datastore in the first place (but with the current implementation it is not a trivial task). For the moment it is wiser just to consider that the datastore content is not trustable.