Backport #4760 to 3.1

Zip check allowlist (#4758) - backport to 3.1.

Author: johrstrom

apps/dashboard/app/controllers/files_controller.rb

@@ -68,8 +68,13 @@ def fs
                     next unless File.readable?(file.realpath)
 
                     if File.file?(file.realpath)
-                      zip.write_deflated_file(file.relative_path.to_s) do |zip_file|
-                        IO.copy_stream(file.realpath, zip_file)
+                      File.open(file.realpath, 'rb') do |opened_file|
+                        real_path = File.readlink("/proc/self/fd/#{opened_file.fileno}")
+                        next unless AllowlistPolicy.default.permitted?(real_path)
+  
+                        zip.write_deflated_file(file.relative_path.to_s) do |zip_file|
+                          IO.copy_stream(opened_file, zip_file)
+                        end
                       end
                     else
                       zip.add_empty_directory(dirname: file.relative_path.to_s)