Prevent path traversal via bibliography metadata field

The bibliography filename is read from the submitter-controlled
paper.yml / paper.md front matter and concatenated to the paper's
directory with no normalisation, so a value like
"../../../../etc/hosts" resolves outside the clone directory.
BibTeX.open then reads that file and any unparseable lines are
echoed back into the public review issue via DOIWorker.

Clamp the bibliography filename with File.basename so the lookup
always stays inside the paper's directory.

Author: arfon

app/lib/paper_file.rb

@@ -39,7 +39,7 @@ def bibtex_entries
   end
 
   def bibtex_path
-    @bibtex_path ||= "#{File.dirname(paper_path)}/#{bibtex_filename}"
+    @bibtex_path ||= "#{File.dirname(paper_path)}/#{File.basename(bibtex_filename.to_s)}"
   end
 
   def bibtex_filename

spec/paper_file_spec.rb

@@ -54,6 +54,16 @@
       expect(YAML).to receive(:load_file).with("./doc/paper.md").and_return({'bibliography' => 'references.bib'})
       expect(subject.bibtex_path).to eq("./doc/references.bib")
     end
+
+    it "should clamp the bibliography filename to its basename to prevent path traversal" do
+      expect(YAML).to receive(:load_file).with("./doc/paper.md").and_return({'bibliography' => '../../../../etc/hosts'})
+      expect(subject.bibtex_path).to eq("./doc/hosts")
+    end
+
+    it "should strip leading directories from the bibliography filename" do
+      expect(YAML).to receive(:load_file).with("./doc/paper.md").and_return({'bibliography' => 'subdir/refs.bib'})
+      expect(subject.bibtex_path).to eq("./doc/refs.bib")
+    end
   end
 
   describe "#bib" do