Merge tag 'debian/13.7.8+ds1-1' into buster-fasttrack

gitlab Debian release 13.7.8+ds1-1

CHANGELOG.md

@@ -2,6 +2,17 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 13.7.8 (2021-03-04)
+
+### Security (5 changes)
+
+- Bump thrift gem to 0.14.0.
+- Allow only owners to manage group variables.
+- Do not store marshalled sessions ids in Redis.
+- Workhorse: prevent escaped router path traversal.
+- Fix XSS vulnerability for swagger file viewer.
+
+
 ## 13.7.7 (2021-02-11)
 
 ### Security (9 changes)

GITALY_SERVER_VERSION

@@ -1 +1 @@
-13.7.7
+13.7.8

GITLAB_WORKHORSE_VERSION

@@ -1 +1 @@
-8.58.2
+8.58.4

Gemfile

@@ -312,6 +312,9 @@ gem 'premailer-rails', '~> 1.10.3'
 
 # LabKit: Tracing and Correlation
 gem 'gitlab-labkit', '0.13.3'
+# Thrift is a dependency of gitlab-labkit, we want a version higher than 0.14.0
+# because of https://gitlab.com/gitlab-org/gitlab/-/issues/321900
+gem 'thrift', '>= 0.14.0'
 
 # I18n
 gem 'ruby_parser', '~> 3.15', require: false

Gemfile.lock

@@ -1169,7 +1169,7 @@ GEM
       rack (>= 1, < 3)
     thor (0.20.3)
     thread_safe (0.3.6)
-    thrift (0.13.0)
+    thrift (0.14.0)
     tilt (2.0.10)
     timecop (0.9.1)
     timeliness (0.3.10)
@@ -1516,6 +1516,7 @@ DEPENDENCIES
   terser (= 1.0.2)
   test-prof (~> 0.12.0)
   thin (~> 1.7.0)
+  thrift (>= 0.14.0)
   timecop (~> 0.9.1)
   toml-rb (~> 1.0.0)
   truncato (~> 0.7.11)

VERSION

@@ -1 +1 @@
-13.7.7
+13.7.8

app/controllers/groups/variables_controller.rb

@@ -2,7 +2,7 @@
 
 module Groups
   class VariablesController < Groups::ApplicationController
-    before_action :authorize_admin_build!
+    before_action :authorize_admin_group!
 
     skip_cross_project_access_check :show, :update
 

app/controllers/profiles/active_sessions_controller.rb

@@ -8,9 +8,8 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController
   end
 
   def destroy
-    # params[:id] can be either an Rack::Session::SessionId#private_id
-    # or an encrypted Rack::Session::SessionId#public_id
-    ActiveSession.destroy_with_deprecated_encryption(current_user, params[:id])
+    # params[:id] can be an Rack::Session::SessionId#private_id
+    ActiveSession.destroy_session(current_user, params[:id])
     current_user.forget_me!
 
     respond_to do |format|

app/helpers/active_sessions_helper.rb

@@ -24,11 +24,6 @@ module ActiveSessionsHelper
   end
 
   def revoke_session_path(active_session)
-    if active_session.session_private_id
-      profile_active_session_path(active_session.session_private_id)
-    else
-      # TODO: remove in 13.7
-      profile_active_session_path(active_session.public_id)
-    end
+    profile_active_session_path(active_session.session_private_id)
   end
 end

app/models/active_session.rb

@@ -23,13 +23,6 @@ class ActiveSession
     device_type&.titleize
   end
 
-  # This is not the same as Rack::Session::SessionId#public_id, but we
-  # need to preserve this for backwards compatibility.
-  # TODO: remove in 13.7
-  def public_id
-    Gitlab::CryptoHelper.aes256_gcm_encrypt(session_id)
-  end
-
   def self.set(user, request)
     Gitlab::Redis::SharedState.with do |redis|
       session_private_id = request.session.id.private_id
@@ -44,8 +37,6 @@ class ActiveSession
         device_type: client.device_type,
         created_at: user.current_sign_in_at || timestamp,
         updated_at: timestamp,
-        # TODO: remove in 13.7
-        session_id: request.session.id.public_id,
         session_private_id: session_private_id,
         is_impersonated: request.session[:impersonator_id].present?
       )
@@ -61,20 +52,10 @@ class ActiveSession
           lookup_key_name(user.id),
           session_private_id
         )
-
-        # We remove the ActiveSession stored by using public_id to avoid
-        # duplicate entries
-        remove_deprecated_active_sessions_with_public_id(redis, user.id, request.session.id.public_id)
       end
     end
   end
 
-  # TODO: remove in 13.7
-  private_class_method def self.remove_deprecated_active_sessions_with_public_id(redis, user_id, rack_session_public_id)
-    redis.srem(lookup_key_name(user_id), rack_session_public_id)
-    redis.del(key_name(user_id, rack_session_public_id))
-  end
-
   def self.list(user)
     Gitlab::Redis::SharedState.with do |redis|
       cleaned_up_lookup_entries(redis, user).map do |raw_session|
@@ -90,18 +71,6 @@ class ActiveSession
     end
   end
 
-  # TODO: remove in 13.7
-  # After upgrade there might be a duplicate ActiveSessions:
-  # - one with the public_id stored in #session_id
-  # - another with private_id stored in #session_private_id
-  def self.destroy_with_rack_session_id(user, rack_session_id)
-    return unless rack_session_id
-
-    Gitlab::Redis::SharedState.with do |redis|
-      destroy_sessions(redis, user, [rack_session_id.public_id, rack_session_id.private_id])
-    end
-  end
-
   def self.destroy_sessions(redis, user, session_ids)
     key_names = session_ids.map { |session_id| key_name(user.id, session_id) }
 
@@ -113,19 +82,11 @@ class ActiveSession
     end
   end
 
-  # TODO: remove in 13.7
-  # After upgrade, .destroy might be called with the session id encrypted
-  # by .public_id.
-  def self.destroy_with_deprecated_encryption(user, session_id)
+  def self.destroy_session(user, session_id)
     return unless session_id
 
-    decrypted_session_id = decrypt_public_id(session_id)
-    rack_session_private_id = if decrypted_session_id
-                                Rack::Session::SessionId.new(decrypted_session_id).private_id
-                              end
-
     Gitlab::Redis::SharedState.with do |redis|
-      destroy_sessions(redis, user, [session_id, decrypted_session_id, rack_session_private_id].compact)
+      destroy_sessions(redis, user, [session_id].compact)
     end
   end
 
@@ -252,11 +213,4 @@ class ActiveSession
 
     entries.compact
   end
-
-  # TODO: remove in 13.7
-  private_class_method def self.decrypt_public_id(public_id)
-    Gitlab::CryptoHelper.aes256_gcm_decrypt(public_id)
-  rescue
-    nil
-  end
 end

config/initializers/warden.rb

@@ -40,8 +40,7 @@ Rails.application.configure do |config|
     activity = Gitlab::Auth::Activity.new(opts)
     tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)
 
-    # TODO: switch to `auth.request.session.id.private_id` in 13.7
-    ActiveSession.destroy_with_rack_session_id(user, auth.request.session.id)
+    ActiveSession.destroy_session(user, auth.request.session.id.private_id) if auth.request.session.id
     activity.user_session_destroyed!
 
     ##

debian/.gitlab-ci.yml

@@ -3,7 +3,8 @@
 include:
   - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml
 
-## "amd64-unstable" always runs by default followed by lintian.
+## "amd64-unstable+lintian" job always runs by default (except on
+## "buster-backports" branches).
 
 ## Only for arch:all packages:
 binary-indep:
@@ -12,18 +13,27 @@ binary-indep:
 ## Job to check Build-Depends versioning:
 amd64-testing_unstable:
   extends: .build
+  except:
+    - buster-backports
+    - tags
   variables:
     arch: amd64
     dist: testing_unstable
 
 i386-unstable:
   extends: .build
+  except:
+    - buster-backports
+    - tags
   variables:
     arch: i386
     dist: unstable
 
 amd64-experimental:
   extends: .build
+  except:
+    - buster-backports
+    - tags
   variables:
     arch: amd64
     dist: experimental
@@ -31,7 +41,7 @@ amd64-experimental:
 amd64-stable:
   extends: .build
   when: manual
-  allow_failure: false
+  allow_failure: true
   variables:
     arch: amd64
     dist: stable

debian/changelog

@@ -1,3 +1,22 @@
+gitlab (13.7.8+ds1-1) experimental; urgency=medium
+
+  [ Dmitry Smirnov ]
+  * watch: fixed upstream MUT/tarballs downloading with "uscan" and "origtargz"
+  * L:debian-rules-uses-unnecessary-dh-argument
+  * CI: minor corrections; exclude "buster-backports" and tags.
+  * watch: added "repacksuffix=+ds1".
+  * changelog update
+  * watch: corrected for "uscan --download-version" case.
+
+  [ Pirate Praveen ]
+  * Remove elasticsearch-model component from debian/gbp.conf (now included
+    in elasticsearch-rails component)
+  * New upstream version 13.7.8+ds1 (Fixes: CVE-2021-22185, CVE-2021-22186)
+  * Refresh patches
+  * Update minimum version of ruby-thrift to 0.14~
+
+ -- Pirate Praveen <praveen@debian.org>  Fri, 05 Mar 2021 16:21:41 +0530
+
 gitlab (13.7.7-2~fto10+1) buster-fasttrack; urgency=medium
 
   * Rebuild for buster-fasttrack.
@@ -31,6 +50,13 @@ gitlab (13.7.7-1) experimental; urgency=medium
  
  -- Pirate Praveen <praveen@debian.org>  Sat, 27 Feb 2021 22:43:54 +0530
 
+gitlab (13.6.7-3) experimental; urgency=medium
+
+  * Add --quiet to gitlab-sidekiq.service running bundle install --local
+  * Switch back to ruby-rugged 0.28 (use snapshot.debian.org)
+
+ -- Pirate Praveen <praveen@debian.org>  Wed, 24 Feb 2021 21:46:34 +0530
+
 gitlab (13.6.7-2) experimental; urgency=medium
 
   * Change dependency on ruby to ruby2.7

debian/control

@@ -275,6 +275,9 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
  ruby-premailer-rails (>= 1.10.3-2~),
 # LabKit: Tracing and Correlation
  ruby-gitlab-labkit (>= 0.13.3~),
+# Thrift is a dependency of gitlab-labkit, we want a version higher than 0.14.0
+# because of https://gitlab.com/gitlab-org/gitlab/-/issues/321900
+ ruby-thrift (>= 0.14~),
 # I18n
  ruby-ruby-parser (>= 3.15~),
  ruby-rails-i18n (>= 6.0~),

debian/copyright

@@ -4,6 +4,15 @@ Source: https://gitlab.com/gitlab-org/gitlab-foss
 Comment: This package installs front end dependencies (nodejs modules) using
  yarn package manager from outside debian. This can go to main when all
  those nodejs modules are packaged in main.
+Files-Excluded-elasticsearch-rails:
+    CHANGELOG.md
+    CONTRIBUTING.md
+   ~elasticsearch-model
+    elasticsearch-persistence
+   ~elasticsearch-rails
+    Gemfile
+    Rakefile
+    README.md
 
 Files: *
 Copyright: 2011-2015 GitLab B.V.

debian/gbp.conf

@@ -1,2 +1,2 @@
 [DEFAULT]
-component = [ 'elasticsearch-model', 'elasticsearch-rails', 'snowplow-javascript-tracker' ]
+component = [ 'elasticsearch-rails', 'snowplow-javascript-tracker' ]

debian/gitlab.install

@@ -69,5 +69,5 @@ VERSION usr/share/gitlab
 shared var/lib/gitlab
 public var/lib/gitlab
 db var/lib/gitlab
-elasticsearch-model usr/share/gitlab/vendor/gems
-elasticsearch-rails usr/share/gitlab/vendor/gems
+elasticsearch-rails/elasticsearch-model usr/share/gitlab/vendor/gems
+elasticsearch-rails/elasticsearch-rails usr/share/gitlab/vendor/gems

debian/patches/0050-relax-stable-libs.patch

@@ -315,7 +315,7 @@ gitlab Gemfile
  
  # Sentry integration
  gem 'sentry-raven', '~> 3.0'
-@@ -308,19 +308,19 @@
+@@ -308,10 +308,10 @@
  # PostgreSQL query parsing
  gem 'gitlab-pg_query', '~> 1.3', require: 'pg_query'
  
@@ -325,7 +325,10 @@ gitlab Gemfile
  # LabKit: Tracing and Correlation
 -gem 'gitlab-labkit', '0.13.3'
 +gem 'gitlab-labkit', '~> 0.13.3'
- 
+ # Thrift is a dependency of gitlab-labkit, we want a version higher than 0.14.0
+ # because of https://gitlab.com/gitlab-org/gitlab/-/issues/321900
+ gem 'thrift', '>= 0.14.0'
+@@ -319,11 +319,11 @@
  # I18n
  gem 'ruby_parser', '~> 3.15', require: false
  gem 'rails-i18n', '~> 6.0'
@@ -339,7 +342,7 @@ gitlab Gemfile
  
  # Perf bar
  gem 'peek', '~> 1.1'
-@@ -352,37 +352,37 @@
+@@ -355,37 +355,37 @@
  
  group :development, :test do
    gem 'deprecation_toolkit', '~> 1.5.1', require: false
@@ -388,7 +391,7 @@ gitlab Gemfile
  
    gem 'timecop', '~> 0.9.1'
  
-@@ -404,18 +404,18 @@
+@@ -407,18 +407,18 @@
  end
  
  group :test do
@@ -413,7 +416,7 @@ gitlab Gemfile
    gem 'rails-controller-testing'
    gem 'concurrent-ruby', '~> 1.1'
    gem 'test-prof', '~> 0.12.0'
-@@ -434,7 +434,7 @@
+@@ -437,7 +437,7 @@
  gem 'email_reply_trimmer', '~> 0.1'
  gem 'html2text'
  
@@ -422,7 +425,7 @@ gitlab Gemfile
  gem 'stackprof', '~> 0.2.15', require: false
  gem 'rbtrace', '~> 0.4', require: false
  gem 'memory_profiler', '~> 0.9', require: false
-@@ -448,8 +448,8 @@
+@@ -451,8 +451,8 @@
  gem 'health_check', '~> 3.0'
  
  # System information
@@ -433,7 +436,7 @@ gitlab Gemfile
  
  # NTP client
  gem 'net-ntp'
-@@ -465,13 +465,13 @@
+@@ -468,13 +468,13 @@
  end
  
  # Gitaly GRPC protocol definitions
@@ -450,7 +453,7 @@ gitlab Gemfile
  
  # Feature toggles
  gem 'flipper', '~> 0.17.1'
-@@ -490,12 +490,12 @@
+@@ -493,12 +493,12 @@
  # Countries list
  gem 'countries', '~> 3.0'
  
@@ -465,7 +468,7 @@ gitlab Gemfile
  
  # Locked as long as quoted-printable encoding issues are not resolved
  # Monkey-patched in `config/initializers/mail_encoding_patch.rb`
-@@ -509,12 +509,12 @@
+@@ -512,12 +512,12 @@
  gem 'valid_email', '~> 0.1'
  
  # JSON

debian/patches/0100-remove-development-test.patch

@@ -10,7 +10,7 @@ Bundler will fail when it can't find these locally
  gem 'graphlient', '~> 0.4.0' # Used by BulkImport feature (group::import)
  
  gem 'hashie'
-@@ -318,7 +317,6 @@
+@@ -321,7 +320,6 @@
  gem 'rails-i18n', '~> 6.0'
  gem 'gettext_i18n_rails', '~> 1.8'
  gem 'gettext_i18n_rails_js', '~> 1.3'
@@ -18,7 +18,7 @@ Bundler will fail when it can't find these locally
  
  gem 'batch-loader', '~> 1.4'
  
-@@ -337,19 +335,6 @@
+@@ -340,19 +338,6 @@
    gem 'raindrops', '~> 0.18'
  end
  
@@ -38,7 +38,7 @@ Bundler will fail when it can't find these locally
  group :development, :test do
    gem 'deprecation_toolkit', '~> 1.5.1', require: false
    gem 'bullet', '~> 6.1'
-@@ -371,12 +356,6 @@
+@@ -374,12 +359,6 @@
    gem 'spring', '~> 2.1'
    gem 'spring-commands-rspec', '~> 1.0', '>= 1.0.4'
  
@@ -51,7 +51,7 @@ Bundler will fail when it can't find these locally
    gem 'benchmark-ips', '~> 2.3', require: false
  
    gem 'knapsack', '~> 1.17'
-@@ -393,16 +372,6 @@
+@@ -396,16 +375,6 @@
    gem 'rblineprof', '~> 0.3.6', platform: :mri, require: false
  end
  

debian/patches/0110-make-test-dependencies-conditional.patch

@@ -2,7 +2,7 @@ Make test dependencies conditional so we can enable them when running autopkgtes
 
 --- a/Gemfile
 +++ b/Gemfile
-@@ -335,7 +335,7 @@
+@@ -338,7 +338,7 @@
    gem 'raindrops', '~> 0.18'
  end
  
@@ -11,7 +11,7 @@ Make test dependencies conditional so we can enable them when running autopkgtes
    gem 'deprecation_toolkit', '~> 1.5.1', require: false
    gem 'bullet', '~> 6.1'
    gem 'pry-byebug', '~> 3.9', platform: :mri
-@@ -370,9 +370,7 @@
+@@ -373,9 +373,7 @@
    gem 'parallel', '~> 1.19', require: false
  
    gem 'rblineprof', '~> 0.3.6', platform: :mri, require: false

debian/patches/0499-10-relax-capybara.patch

@@ -1,6 +1,6 @@
 --- a/Gemfile
 +++ b/Gemfile
-@@ -365,7 +365,7 @@
+@@ -368,7 +368,7 @@
    gem 'rspec_profiling', '~> 0.0.6'
    gem 'rspec-parameterized', require: false
  

debian/patches/0499-20-remove-capybara-screenshot.patch

@@ -1,6 +1,6 @@
 --- a/Gemfile
 +++ b/Gemfile
-@@ -366,7 +366,6 @@
+@@ -369,7 +369,6 @@
    gem 'rspec-parameterized', require: false
  
    gem 'capybara', '~> 3.12'

debian/patches/0499-30-remove-guard-rspec.patch

@@ -1,6 +1,6 @@
 --- a/Gemfile
 +++ b/Gemfile
-@@ -375,7 +375,6 @@
+@@ -378,7 +378,6 @@
    gem 'concurrent-ruby', '~> 1.1'
    gem 'test-prof', '~> 0.12.0'
    gem 'rspec_junit_formatter'

debian/patches/0530-typescript-yarnpkg-comapt.patch

@@ -4,7 +4,7 @@ Bug: https://github.com/yarnpkg/berry/pull/2440
 
 --- a/package.json
 +++ b/package.json
-@@ -167,7 +167,8 @@
+@@ -166,7 +166,8 @@
    },
    "resolutions": {
      "chokidar": "^3.4.0",

debian/patches/0740-use-packaged-modules.patch

@@ -227,7 +227,7 @@ Use debian packaged node modules when available
      "select2": "3.5.2-browserify",
 @@ -134,26 +134,25 @@
      "style-loader": "^1.1.3",
-     "swagger-ui-dist": "^3.32.4",
+     "swagger-ui-dist": "^3.43.0",
      "three": "^0.84.0",
 -    "three-orbit-controls": "^82.1.0",
 +    "three-orbit-controls": "link:/usr/share/nodejs/three-orbit-controls",

debian/rules

@@ -3,7 +3,7 @@
 include /usr/share/dpkg/pkg-info.mk
 
 %:
-	dh $@ --with=systemd
+	dh $@
 
 override_dh_install:
 	dh_install -XLICENSE

debian/upstream-file-list

@@ -72,7 +72,6 @@ debian
 doc
 docker
 docker-compose.yml
-elasticsearch-model
 elasticsearch-rails
 file_hooks
 fixtures

debian/watch

@@ -1,15 +1,16 @@
 version=4
+
+# uscan: repacksuffix is not compatible with the multiple upstream tarballs; use oversionmangle.
+
 opts="uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha|b|a)\d*)$/$1~$2/,\
-filenamemangle=s/.*v(.*)\/.*/gitlab-$1.tar.gz/,\
+repack,compression=xz,oversionmangle=s{\Z}{+ds1},\
 dversionmangle=s/(\d)[\+]?(debian|dfsg|ds|deb|gh)\d*(\~)*(rc)*(\d)*$/$1$3$4$5/ \
-" https://gitlab.com/gitlab-org/gitlab-foss/-/tags .*/gitlab-foss-v(\d[\d.]*)\.tar\.gz debian
+" https://gitlab.com/gitlab-org/gitlab-foss/-/tags .*/gitlab-foss-v(\d[\d.]*)\.tar\.gz
 
-opts="pgpmode=none,component=elasticsearch-model" \
-https://gemwatch.debian.net/elasticsearch-model .*/elasticsearch-model-(6.1.*).tar.gz ignore
-
-opts="pgpmode=none,component=elasticsearch-rails" \
-https://gemwatch.debian.net/elasticsearch-rails .*/elasticsearch-rails-(6.1.*).tar.gz ignore
+opts="pgpmode=none,component=elasticsearch-rails,\
+" https://github.com/elastic/elasticsearch-rails/releases \
+ .*/archive/v?(6\.1\.0)@ARCHIVE_EXT@$ ignore
 
 opts="pgpmode=none,component=snowplow-javascript-tracker,\
-filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/snowplow-javascript-tracker-\$1\.tar\.gz/" \
-https://github.com/snowplow/snowplow-javascript-tracker/tags?after=2.11.0-rc3 .*/v?(2.10.0)\.tar\.gz ignore
+" https://github.com/snowplow/snowplow-javascript-tracker/tags?after=2.11.0-rc3 \
+ .*/archive/v?(2\.10\.0)@ARCHIVE_EXT@$ ignore

elasticsearch-rails/.gitignore

@@ -1,17 +1,11 @@
-*.gem
-*.rbc
-.bundle
-.config
-.yardoc
-Gemfile.lock
-InstalledFiles
-_yardoc
-coverage
+.DS_Store
+*.log
+tmp/
+.idea/*
+
+.yardoc/
+_yardoc/
+coverage/
+rdoc/
 doc/
-lib/bundler/man
-pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp
+Gemfile.lock

elasticsearch-rails/.travis.yml

@@ -0,0 +1,66 @@
+# -----------------------------------------------------------------------------
+# Configuration file for http://travis-ci.org/elasticsearch/elasticsearch-rails
+# -----------------------------------------------------------------------------
+
+dist: trusty
+
+sudo: required
+
+language: ruby
+
+services:
+  - mongodb
+
+branches:
+  only:
+    - master
+    - travis
+    - 5.x
+    - 6.x
+    - 2.x
+
+matrix:
+  include:
+    - rvm: 2.2
+      jdk: oraclejdk8
+      env: RAILS_VERSIONS=3.0
+
+    - rvm: 2.3.8
+      jdk: oraclejdk8
+      env: RAILS_VERSIONS=5.0
+
+    - rvm: 2.6.1
+      jdk: oraclejdk8
+      env: RAILS_VERSIONS=4.0,5.0
+
+    - rvm: jruby-9.2.5.0
+      jdk: oraclejdk8
+      env: RAILS_VERSIONS=5.0
+
+env:
+  global:
+    - ELASTICSEARCH_VERSION=6.4.0
+    - QUIET=true
+
+
+before_install:
+  - wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELASTICSEARCH_VERSION}.deb
+  - wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELASTICSEARCH_VERSION}.deb.sha512
+  - shasum -a 512 -c elasticsearch-${ELASTICSEARCH_VERSION}.deb.sha512
+  - sudo dpkg -i --force-confnew elasticsearch-${ELASTICSEARCH_VERSION}.deb
+  - sudo service elasticsearch start
+  - gem update --system
+  - gem update bundler
+  - gem --version
+  - bundle version
+
+install:
+  - bundle install
+  - rake bundle:clean
+  - rake bundle:install
+
+script:
+  - rake test:all
+
+notifications:
+  disable: true