Backport #4759 to 4.0

Zip check allowlist (#4758) - backported to 4.0.

Author: johrstrom

apps/dashboard/app/controllers/files_controller.rb

@@ -67,8 +67,13 @@ def fs
                   next unless File.readable?(file.realpath)
 
                   if File.file?(file.realpath)
-                    zip.write_deflated_file(file.relative_path.to_s) do |zip_file|
-                      IO.copy_stream(file.realpath, zip_file)
+                    File.open(file.realpath, 'rb') do |opened_file|
+                      real_path = File.readlink("/proc/self/fd/#{opened_file.fileno}")
+                      next unless AllowlistPolicy.default.permitted?(real_path)
+
+                      zip.write_deflated_file(file.relative_path.to_s) do |zip_file|
+                        IO.copy_stream(opened_file, zip_file)
+                      end
                     end
                   else
                     zip.add_empty_directory(dirname: file.relative_path.to_s)