Logs when potential path traversal attempt detected

lib/gitlab/utils.rb

@@ -5,6 +5,10 @@ module Gitlab
     extend self
     PathTraversalAttackError ||= Class.new(StandardError)
 
+    private_class_method def logger
+      @logger ||= Gitlab::AppLogger
+    end
+
     # Ensure that the relative path will not traverse outside the base directory
     # We url decode the path to avoid passing invalid paths forward in url encoded format.
     # Also see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/24223#note_284122580
@@ -16,6 +20,7 @@ module Gitlab
       path_regex = %r{(\A(\.{1,2})\z|\A\.\.[/\\]|[/\\]\.\.\z|[/\\]\.\.[/\\]|\n)}
 
       if path.match?(path_regex)
+        logger.warn(message: "Potential path traversal attempt detected", path: "#{path}")
         raise PathTraversalAttackError, 'Invalid path'
       end
 

spec/lib/gitlab/utils_spec.rb

@@ -53,6 +53,16 @@ RSpec.describe Gitlab::Utils do
       expect(check_path_traversal!('dir/.foo.rb')).to eq('dir/.foo.rb')
     end
 
+    it 'logs potential path traversal attempts' do
+      expect(Gitlab::AppLogger).to receive(:warn).with(message: "Potential path traversal attempt detected", path: "..")
+      expect { check_path_traversal!('..') }.to raise_error(/Invalid path/)
+    end
+
+    it 'logs does nothing for a safe string' do
+      expect(Gitlab::AppLogger).not_to receive(:warn).with(message: "Potential path traversal attempt detected", path: "dir/.foo.rb")
+      expect(check_path_traversal!('dir/.foo.rb')).to eq('dir/.foo.rb')
+    end
+
     it 'does nothing for a non-string' do
       expect(check_path_traversal!(nil)).to be_nil
     end