realaravinth/debian-mirror-gitlab
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

New upstream version 12.6.2

Browse source
This commit is contained in:
Pirate Praveen 2020-01-03 18:37:03 +05:30
parent 5ed1f864fe
commit 0985dbd954
23 changed files with 330 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.gitlab/ci/releases.gitlab-ci.yml
View file

@ -25,3 +25,12 @@ sync-stable-branch:
only:
refs:
- /^[\d-]+-stable-ee$/@gitlab-org/gitlab
sync-security-branch:
extends: .merge-train-sync
variables:
SOURCE_PROJECT: gitlab-org/security/gitlab
TARGET_PROJECT: gitlab-org/security/gitlab-foss
only:
refs:
- /^[\d-]+-stable-ee$/@gitlab-org/security/gitlab

13
CHANGELOG.md
View file

@ -2,9 +2,20 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
## 12.6.2
### Security (6 changes)
- GraphQL: Add timeout to all queries.
- Filter out notification settings for projects that a user does not have at least read access.
- Hide project name and path when unsusbcribing from an issue or merge request.
- Fix 500 error caused by invalid byte sequences in uploads links.
- Return only runners from groups where user is owner for user CI owned runners.
- Fix Vulnerability of Release Evidence.
## 12.6.1
- No changes.
### Fixed (2 changes)
- Handle forbidden error when checking for knative. !22170

2
VERSION
View file

@ -1 +1 @@
12.6.1
12.6.2

1
app/controllers/profiles/notifications_controller.rb
View file

@ -11,6 +11,7 @@ class Profiles::NotificationsController < Profiles::ApplicationController
exclude_group_ids: @group_notifications.select(:source_id)
).execute.map { |group| current_user.notification_settings_for(group, inherit: true) }
@project_notifications = current_user.notification_settings.for_projects.order(:id)
.select { |notification| current_user.can?(:read_project, notification.source) }
@global_notification_setting = current_user.global_notification_setting
end
# rubocop: enable CodeReuse/ActiveRecord

7
app/controllers/projects/releases_controller.rb
View file

@ -10,7 +10,7 @@ class Projects::ReleasesController < Projects::ApplicationController
push_frontend_feature_flag(:release_evidence_collection, project)
end
before_action :authorize_update_release!, only: %i[edit update]
before_action :authorize_download_code!, only: [:evidence]
before_action :authorize_read_release_evidence!, only: [:evidence]
def index
respond_to do |format|
@ -47,6 +47,11 @@ class Projects::ReleasesController < Projects::ApplicationController
access_denied! unless can?(current_user, :update_release, release)
end
def authorize_read_release_evidence!
access_denied! unless Feature.enabled?(:release_evidence, project, default_enabled: true)
access_denied! unless can?(current_user, :read_release_evidence, release)
end
def release
@release ||= project.releases.find_by_tag!(sanitized_tag_name)
end

4
app/helpers/notifications_helper.rb
View file

@ -116,4 +116,8 @@ module NotificationsHelper
def show_unsubscribe_title?(noteable)
can?(current_user, "read_#{noteable.to_ability_name}".to_sym, noteable)
end
def can_read_project?(project)
can?(current_user, :read_project, project)
end
end

15
app/models/evidence.rb
View file

@ -15,6 +15,21 @@ class Evidence < ApplicationRecord
@milestones ||= release.milestones.includes(:issues)
end
##
# Return `summary` without sensitive information.
#
# Removing issues from summary in order to prevent leaking confidential ones.
# See more https://gitlab.com/gitlab-org/gitlab/issues/121930
def summary
safe_summary = read_attribute(:summary)
safe_summary.dig('release', 'milestones')&.each do |milestone|
milestone.delete('issues')
end
safe_summary
end
private
def generate_summary_and_sha

2
app/models/user.rb
View file

@ -1327,7 +1327,7 @@ class User < ApplicationRecord
.select('ci_runners.*')
group_runners = Ci::RunnerNamespace
.where(namespace_id: owned_or_maintainers_groups.select(:id))
.where(namespace_id: owned_groups.select(:id))
.joins(:runner)
.select('ci_runners.*')

27
app/policies/release_policy.rb
View file

@ -2,4 +2,31 @@
class ReleasePolicy < BasePolicy
delegate { @subject.project }
rule { allowed_to_read_evidence & external_authorization_service_disabled }.policy do
enable :read_release_evidence
end
##
# evidence.summary includes the following entities:
# - Release
# - git-tag (Repository)
# - Project
# - Milestones
# - Issues
condition(:allowed_to_read_evidence) do
can?(:read_release) &&
can?(:download_code) &&
can?(:read_project) &&
can?(:read_milestone) &&
can?(:read_issue)
end
##
# Currently, we don't support release evidence for the GitLab instances
# that enables external authorization services.
# See https://gitlab.com/gitlab-org/gitlab/issues/121930.
condition(:external_authorization_service_disabled) do
!Gitlab::ExternalAuthorization::Config.enabled?
end
end

7
app/views/sent_notifications/unsubscribe.html.haml
View file

@ -1,13 +1,16 @@
- noteable = @sent_notification.noteable
- noteable_type = @sent_notification.noteable_type.titleize.downcase
- noteable_text = show_unsubscribe_title?(noteable) ? %(#{noteable.title} (#{noteable.to_reference})) : %(#{noteable.to_reference})
- page_title _("Unsubscribe"), noteable_text, noteable_type.pluralize, @sent_notification.project.full_name
- show_project_path = can_read_project?(@sent_notification.project)
- project_path = show_project_path ? @sent_notification.project.full_name : _("GitLab / Unsubscribe")
- noteable_url = show_project_path ? url_for([@sent_notification.project.namespace.becomes(Namespace), @sent_notification.project, noteable]) : breadcrumb_title_link
- page_title _('Unsubscribe'), noteable_text, noteable_type.pluralize, project_path
%h3.page-title
= _("Unsubscribe from %{type}") % { type: noteable_type }
%p
- link_to_noteable_text = link_to(noteable_text, url_for([@sent_notification.project.namespace.becomes(Namespace), @sent_notification.project, noteable]))
- link_to_noteable_text = link_to(noteable_text, noteable_url)
= _("Are you sure you want to unsubscribe from the %{type}: %{link_to_noteable_text}?").html_safe % { type: noteable_type, link_to_noteable_text: link_to_noteable_text }
%p

4
config/initializers/graphql.rb
View file

@ -5,3 +5,7 @@ GraphQL::Field.accepts_definitions(authorize: GraphQL::Define.assign_metadata_ke
GraphQL::Schema::Object.accepts_definition(:authorize)
GraphQL::Schema::Field.accepts_definition(:authorize)
GitlabSchema.middleware << GraphQL::Schema::TimeoutMiddleware.new(max_seconds: ENV.fetch('GITLAB_RAILS_GRAPHQL_TIMEOUT', 30).to_i) do |timeout_error, query|
Gitlab::GraphqlLogger.error(message: timeout_error.to_s, query: query.query_string, query_variables: query.provided_variables)
end

6
lib/api/entities.rb
View file

@ -1336,7 +1336,7 @@ module API
expose :author, using: Entities::UserBasic, if: -> (release, _) { release.author.present? }
expose :commit, using: Entities::Commit, if: ->(_, _) { can_download_code? }
expose :upcoming_release?, as: :upcoming_release
expose :milestones, using: Entities::Milestone, if: -> (release, _) { release.milestones.present? }
expose :milestones, using: Entities::Milestone, if: -> (release, _) { release.milestones.present? && can_read_milestone? }
expose :commit_path, expose_nil: false
expose :tag_path, expose_nil: false
expose :evidence_sha, expose_nil: false, if: ->(_, _) { can_download_code? }
@ -1362,6 +1362,10 @@ module API
def can_download_code?
Ability.allowed?(options[:current_user], :download_code, object.project)
end
def can_read_milestone?
Ability.allowed?(options[:current_user], :read_milestone, object.project)
end
end
class Tag < Grape::Entity

12
lib/banzai/filter/relative_link_filter.rb
View file

@ -116,7 +116,7 @@ module Banzai
end
def process_link_to_upload_attr(html_attr)
path_parts = [Addressable::URI.unescape(html_attr.value)]
path_parts = [unescape_and_scrub_uri(html_attr.value)]
if project
path_parts.unshift(relative_url_root, project.full_path)
@ -172,7 +172,7 @@ module Banzai
end
def cleaned_file_path(uri)
Addressable::URI.unescape(uri.path).scrub.delete("\0").chomp("/")
unescape_and_scrub_uri(uri.path).delete("\0").chomp("/")
end
def relative_file_path(uri)
@ -184,7 +184,7 @@ module Banzai
def request_path
return unless context[:requested_path]
Addressable::URI.unescape(context[:requested_path]).chomp("/")
unescape_and_scrub_uri(context[:requested_path]).chomp("/")
end
# Convert a relative path into its correct location based on the currently
@ -266,6 +266,12 @@ module Banzai
def repository
@repository ||= project&.repository
end
private
def unescape_and_scrub_uri(uri)
Addressable::URI.unescape(uri).scrub
end
end
end
end

3
locale/gitlab.pot
View file

@ -8509,6 +8509,9 @@ msgstr ""
msgid "GitHub import"
msgstr ""
msgid "GitLab / Unsubscribe"
msgstr ""
msgid "GitLab CI Linter has been moved"
msgstr ""

29
spec/controllers/profiles/notifications_controller_spec.rb
View file

@ -52,6 +52,35 @@ describe Profiles::NotificationsController do
end.to exceed_query_limit(control)
end
end
context 'with project notifications' do
let!(:notification_setting) { create(:notification_setting, source: project, user: user, level: :watch) }
before do
sign_in(user)
get :show
end
context 'when project is public' do
let(:project) { create(:project, :public) }
it 'shows notification setting for project' do
expect(assigns(:project_notifications).map(&:source_id)).to include(project.id)
end
end
context 'when project is public' do
let(:project) { create(:project, :private) }
it 'shows notification setting for project' do
# notification settings for given project were created before project was set to private
expect(user.notification_settings.for_projects.map(&:source_id)).to include(project.id)
# check that notification settings for project where user does not have access are filtered
expect(assigns(:project_notifications)).to be_empty
end
end
end
end
describe 'POST update' do

81
spec/controllers/projects/releases_controller_spec.rb
View file

@ -167,7 +167,7 @@ describe Projects::ReleasesController do
end
describe 'GET #evidence' do
let(:tag_name) { "v1.1.0-evidence" }
let_it_be(:tag_name) { "v1.1.0-evidence" }
let!(:release) { create(:release, :with_evidence, project: project, tag: tag_name) }
let(:tag) { CGI.escape(release.tag) }
let(:format) { :json }
@ -220,6 +220,85 @@ describe Projects::ReleasesController do
it_behaves_like 'successful request'
end
end
context 'when release is associated to a milestone which includes an issue' do
let_it_be(:project) { create(:project, :repository, :public) }
let_it_be(:issue) { create(:issue, project: project) }
let_it_be(:milestone) { create(:milestone, project: project, issues: [issue]) }
let_it_be(:release) { create(:release, project: project, tag: tag_name, milestones: [milestone]) }
before do
create(:evidence, release: release)
end
shared_examples_for 'does not show the issue in evidence' do
it do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['release']['milestones']
.all? { |milestone| milestone['issues'].nil? }).to eq(true)
end
end
shared_examples_for 'evidence not found' do
it do
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
shared_examples_for 'safely expose evidence' do
it_behaves_like 'does not show the issue in evidence'
context 'when the issue is confidential' do
let(:issue) { create(:issue, :confidential, project: project) }
it_behaves_like 'does not show the issue in evidence'
end
context 'when the user is the author of the confidential issue' do
let(:issue) { create(:issue, :confidential, project: project, author: user) }
it_behaves_like 'does not show the issue in evidence'
end
context 'when project is private' do
let!(:project) { create(:project, :repository, :private) }
it_behaves_like 'evidence not found'
end
context 'when project restricts the visibility of issues to project members only' do
let!(:project) { create(:project, :repository, :issues_private) }
it_behaves_like 'evidence not found'
end
end
context 'when user is non-project member' do
let(:user) { create(:user) }
it_behaves_like 'safely expose evidence'
end
context 'when user is auditor', if: Gitlab.ee? do
let(:user) { create(:user, :auditor) }
it_behaves_like 'safely expose evidence'
end
context 'when external authorization control is enabled' do
let(:user) { create(:user) }
before do
stub_application_setting(external_authorization_service_enabled: true)
end
it_behaves_like 'evidence not found'
end
end
end
private

35
spec/controllers/sent_notifications_controller_spec.rb
View file

@ -56,7 +56,7 @@ describe SentNotificationsController do
get(:unsubscribe, params: { id: sent_notification.reply_key })
end
shared_examples 'unsubscribing as anonymous' do
shared_examples 'unsubscribing as anonymous' do |project_visibility|
it 'does not unsubscribe the user' do
expect(noteable.subscribed?(user, target_project)).to be_truthy
end
@ -69,6 +69,18 @@ describe SentNotificationsController do
expect(response.status).to eq(200)
expect(response).to render_template :unsubscribe
end
if project_visibility == :private
it 'does not show project name or path' do
expect(response.body).not_to include(noteable.project.name)
expect(response.body).not_to include(noteable.project.full_name)
end
else
it 'shows project name or path' do
expect(response.body).to include(noteable.project.name)
expect(response.body).to include(noteable.project.full_name)
end
end
end
context 'when project is public' do
@ -79,7 +91,7 @@ describe SentNotificationsController do
expect(response.body).to include(issue.title)
end
it_behaves_like 'unsubscribing as anonymous'
it_behaves_like 'unsubscribing as anonymous', :public
end
context 'when unsubscribing from confidential issue' do
@ -90,7 +102,7 @@ describe SentNotificationsController do
expect(response.body).to include(confidential_issue.to_reference)
end
it_behaves_like 'unsubscribing as anonymous'
it_behaves_like 'unsubscribing as anonymous', :public
end
context 'when unsubscribing from merge request' do
@ -100,7 +112,12 @@ describe SentNotificationsController do
expect(response.body).to include(merge_request.title)
end
it_behaves_like 'unsubscribing as anonymous'
it 'shows project name or path' do
expect(response.body).to include(issue.project.name)
expect(response.body).to include(issue.project.full_name)
end
it_behaves_like 'unsubscribing as anonymous', :public
end
end
@ -110,11 +127,11 @@ describe SentNotificationsController do
context 'when unsubscribing from issue' do
let(:noteable) { issue }
it 'shows issue title' do
it 'does not show issue title' do
expect(response.body).not_to include(issue.title)
end
it_behaves_like 'unsubscribing as anonymous'
it_behaves_like 'unsubscribing as anonymous', :private
end
context 'when unsubscribing from confidential issue' do
@ -125,17 +142,17 @@ describe SentNotificationsController do
expect(response.body).to include(confidential_issue.to_reference)
end
it_behaves_like 'unsubscribing as anonymous'
it_behaves_like 'unsubscribing as anonymous', :private
end
context 'when unsubscribing from merge request' do
let(:noteable) { merge_request }
it 'shows merge request title' do
it 'dos not show merge request title' do
expect(response.body).not_to include(merge_request.title)
end
it_behaves_like 'unsubscribing as anonymous'
it_behaves_like 'unsubscribing as anonymous', :private
end
end
end

9
spec/fixtures/api/schemas/evidences/milestone.json vendored
View file

@ -7,8 +7,7 @@
"state",
"iid",
"created_at",
"due_date",
"issues"
"due_date"
],
"properties": {
"id": { "type": "integer" },
@ -17,11 +16,7 @@
"state": { "type": "string" },
"iid": { "type": "integer" },
"created_at": { "type": "date" },
"due_date": { "type": ["date", "null"] },
"issues": {
"type": "array",
"items": { "$ref": "issue.json" }
}
"due_date": { "type": ["date", "null"] }
},
"additionalProperties": false
}

9
spec/lib/banzai/filter/relative_link_filter_spec.rb
View file

@ -128,6 +128,15 @@ describe Banzai::Filter::RelativeLinkFilter do
expect { filter(act) }.not_to raise_error
end
it 'does not raise an exception on URIs containing invalid utf-8 byte sequences in uploads' do
act = link("/uploads/%FF")
expect { filter(act) }.not_to raise_error
end
it 'does not raise an exception on URIs containing invalid utf-8 byte sequences in context requested path' do
expect { filter(link("files/test.md"), requested_path: '%FF') }.not_to raise_error
end
it 'does not raise an exception with a garbled path' do
act = link("open(/var/tmp/):%20/location%0Afrom:%20/test")
expect { filter(act) }.not_to raise_error

26
spec/models/user_spec.rb
View file

@ -2637,8 +2637,8 @@ describe User, :do_not_mock_admin_mode do
add_user(:maintainer)
end
it 'loads' do
expect(user.ci_owned_runners).to contain_exactly(runner)
it 'does not load' do
expect(user.ci_owned_runners).to be_empty
end
end
@ -2653,6 +2653,20 @@ describe User, :do_not_mock_admin_mode do
end
end
shared_examples :group_member do
context 'when the user is owner' do
before do
add_user(:owner)
end
it 'loads' do
expect(user.ci_owned_runners).to contain_exactly(runner)
end
end
it_behaves_like :member
end
context 'with groups projects runners' do
let(:group) { create(:group) }
let!(:project) { create(:project, group: group) }
@ -2661,7 +2675,7 @@ describe User, :do_not_mock_admin_mode do
group.add_user(user, access)
end
it_behaves_like :member
it_behaves_like :group_member
end
context 'with groups runners' do
@ -2672,14 +2686,14 @@ describe User, :do_not_mock_admin_mode do
group.add_user(user, access)
end
it_behaves_like :member
it_behaves_like :group_member
end
context 'with other projects runners' do
let!(:project) { create(:project) }
def add_user(access)
project.add_role(user, access)
project.add_user(user, access)
end
it_behaves_like :member
@ -2697,7 +2711,7 @@ describe User, :do_not_mock_admin_mode do
subgroup.add_user(another_user, :owner)
end
it_behaves_like :member
it_behaves_like :group_member
end
end

12
spec/requests/api/graphql/gitlab_schema_spec.rb
View file

@ -8,6 +8,18 @@ describe 'GitlabSchema configurations' do
set(:project) { create(:project) }
shared_examples 'imposing query limits' do
describe 'timeouts' do
context 'when timeout is reached' do
it 'shows an error' do
Timecop.scale(50000000) do # ludicrously large number because the timeout has to happen before the query even begins
subject
expect_graphql_errors_to_include /Timeout/
end
end
end
end
describe '#max_complexity' do
context 'when complexity is too high' do
it 'shows an error' do

34
spec/requests/api/releases_spec.rb
View file

@ -340,6 +340,40 @@ describe API::Releases do
expect(response).to have_gitlab_http_status(:ok)
end
context 'when release is associated to a milestone' do
let!(:release) do
create(:release, tag: 'v0.1', project: project, milestones: [milestone])
end
let(:milestone) { create(:milestone, project: project) }
it 'exposes milestones' do
get api("/projects/#{project.id}/releases/v0.1", non_project_member)
expect(json_response['milestones'].first['title']).to eq(milestone.title)
end
context 'when project restricts visibility of issues and merge requests' do
let!(:project) { create(:project, :repository, :public, :issues_private, :merge_requests_private) }
it 'does not expose milestones' do
get api("/projects/#{project.id}/releases/v0.1", non_project_member)
expect(json_response['milestones']).to be_nil
end
end
context 'when project restricts visibility of issues' do
let!(:project) { create(:project, :repository, :public, :issues_private) }
it 'exposes milestones' do
get api("/projects/#{project.id}/releases/v0.1", non_project_member)
expect(json_response['milestones'].first['title']).to eq(milestone.title)
end
end
end
end
end
end

16
spec/requests/api/runners_spec.rb
View file

@ -6,6 +6,7 @@ describe API::Runners do
let(:admin) { create(:user, :admin) }
let(:user) { create(:user) }
let(:user2) { create(:user) }
let(:group_maintainer) { create(:user) }
let(:project) { create(:project, creator_id: user.id) }
let(:project2) { create(:project, creator_id: user.id) }
@ -20,6 +21,7 @@ describe API::Runners do
before do
# Set project access for users
create(:group_member, :maintainer, user: group_maintainer, group: group)
create(:project_member, :maintainer, user: user, project: project)
create(:project_member, :maintainer, user: user, project: project2)
create(:project_member, :reporter, user: user2, project: project)
@ -525,6 +527,20 @@ describe API::Runners do
end.to change { Ci::Runner.project_type.count }.by(-1)
end
it 'does not delete group runner with maintainer access' do
delete api("/runners/#{group_runner.id}", group_maintainer)
expect(response).to have_http_status(403)
end
it 'deletes group runner with owner access' do
expect do
delete api("/runners/#{group_runner.id}", user)
expect(response).to have_http_status(204)
end.to change { Ci::Runner.group_type.count }.by(-1)
end
it_behaves_like '412 response' do
let(:request) { api("/runners/#{project_runner.id}", user) }
end