New upstream version 13.7.8+ds1
This commit is contained in:
parent
7e5cacce5f
commit
230c9f7a6f
178 changed files with 368 additions and 283 deletions
11
CHANGELOG.md
11
CHANGELOG.md
|
@ -2,6 +2,17 @@
|
||||||
documentation](doc/development/changelog.md) for instructions on adding your own
|
documentation](doc/development/changelog.md) for instructions on adding your own
|
||||||
entry.
|
entry.
|
||||||
|
|
||||||
|
## 13.7.8 (2021-03-04)
|
||||||
|
|
||||||
|
### Security (5 changes)
|
||||||
|
|
||||||
|
- Bump thrift gem to 0.14.0.
|
||||||
|
- Allow only owners to manage group variables.
|
||||||
|
- Do not store marshalled sessions ids in Redis.
|
||||||
|
- Workhorse: prevent escaped router path traversal.
|
||||||
|
- Fix XSS vulnerability for swagger file viewer.
|
||||||
|
|
||||||
|
|
||||||
## 13.7.7 (2021-02-11)
|
## 13.7.7 (2021-02-11)
|
||||||
|
|
||||||
### Security (9 changes)
|
### Security (9 changes)
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
13.7.7
|
13.7.8
|
|
@ -1 +1 @@
|
||||||
8.58.2
|
8.58.4
|
||||||
|
|
3
Gemfile
3
Gemfile
|
@ -312,6 +312,9 @@ gem 'premailer-rails', '~> 1.10.3'
|
||||||
|
|
||||||
# LabKit: Tracing and Correlation
|
# LabKit: Tracing and Correlation
|
||||||
gem 'gitlab-labkit', '0.13.3'
|
gem 'gitlab-labkit', '0.13.3'
|
||||||
|
# Thrift is a dependency of gitlab-labkit, we want a version higher than 0.14.0
|
||||||
|
# because of https://gitlab.com/gitlab-org/gitlab/-/issues/321900
|
||||||
|
gem 'thrift', '>= 0.14.0'
|
||||||
|
|
||||||
# I18n
|
# I18n
|
||||||
gem 'ruby_parser', '~> 3.15', require: false
|
gem 'ruby_parser', '~> 3.15', require: false
|
||||||
|
|
|
@ -1169,7 +1169,7 @@ GEM
|
||||||
rack (>= 1, < 3)
|
rack (>= 1, < 3)
|
||||||
thor (0.20.3)
|
thor (0.20.3)
|
||||||
thread_safe (0.3.6)
|
thread_safe (0.3.6)
|
||||||
thrift (0.13.0)
|
thrift (0.14.0)
|
||||||
tilt (2.0.10)
|
tilt (2.0.10)
|
||||||
timecop (0.9.1)
|
timecop (0.9.1)
|
||||||
timeliness (0.3.10)
|
timeliness (0.3.10)
|
||||||
|
@ -1516,6 +1516,7 @@ DEPENDENCIES
|
||||||
terser (= 1.0.2)
|
terser (= 1.0.2)
|
||||||
test-prof (~> 0.12.0)
|
test-prof (~> 0.12.0)
|
||||||
thin (~> 1.7.0)
|
thin (~> 1.7.0)
|
||||||
|
thrift (>= 0.14.0)
|
||||||
timecop (~> 0.9.1)
|
timecop (~> 0.9.1)
|
||||||
toml-rb (~> 1.0.0)
|
toml-rb (~> 1.0.0)
|
||||||
truncato (~> 0.7.11)
|
truncato (~> 0.7.11)
|
||||||
|
|
2
VERSION
2
VERSION
|
@ -1 +1 @@
|
||||||
13.7.7
|
13.7.8
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
module Groups
|
module Groups
|
||||||
class VariablesController < Groups::ApplicationController
|
class VariablesController < Groups::ApplicationController
|
||||||
before_action :authorize_admin_build!
|
before_action :authorize_admin_group!
|
||||||
|
|
||||||
skip_cross_project_access_check :show, :update
|
skip_cross_project_access_check :show, :update
|
||||||
|
|
||||||
|
|
|
@ -8,9 +8,8 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def destroy
|
def destroy
|
||||||
# params[:id] can be either an Rack::Session::SessionId#private_id
|
# params[:id] can be an Rack::Session::SessionId#private_id
|
||||||
# or an encrypted Rack::Session::SessionId#public_id
|
ActiveSession.destroy_session(current_user, params[:id])
|
||||||
ActiveSession.destroy_with_deprecated_encryption(current_user, params[:id])
|
|
||||||
current_user.forget_me!
|
current_user.forget_me!
|
||||||
|
|
||||||
respond_to do |format|
|
respond_to do |format|
|
||||||
|
|
|
@ -24,11 +24,6 @@ module ActiveSessionsHelper
|
||||||
end
|
end
|
||||||
|
|
||||||
def revoke_session_path(active_session)
|
def revoke_session_path(active_session)
|
||||||
if active_session.session_private_id
|
profile_active_session_path(active_session.session_private_id)
|
||||||
profile_active_session_path(active_session.session_private_id)
|
|
||||||
else
|
|
||||||
# TODO: remove in 13.7
|
|
||||||
profile_active_session_path(active_session.public_id)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -23,13 +23,6 @@ class ActiveSession
|
||||||
device_type&.titleize
|
device_type&.titleize
|
||||||
end
|
end
|
||||||
|
|
||||||
# This is not the same as Rack::Session::SessionId#public_id, but we
|
|
||||||
# need to preserve this for backwards compatibility.
|
|
||||||
# TODO: remove in 13.7
|
|
||||||
def public_id
|
|
||||||
Gitlab::CryptoHelper.aes256_gcm_encrypt(session_id)
|
|
||||||
end
|
|
||||||
|
|
||||||
def self.set(user, request)
|
def self.set(user, request)
|
||||||
Gitlab::Redis::SharedState.with do |redis|
|
Gitlab::Redis::SharedState.with do |redis|
|
||||||
session_private_id = request.session.id.private_id
|
session_private_id = request.session.id.private_id
|
||||||
|
@ -44,8 +37,6 @@ class ActiveSession
|
||||||
device_type: client.device_type,
|
device_type: client.device_type,
|
||||||
created_at: user.current_sign_in_at || timestamp,
|
created_at: user.current_sign_in_at || timestamp,
|
||||||
updated_at: timestamp,
|
updated_at: timestamp,
|
||||||
# TODO: remove in 13.7
|
|
||||||
session_id: request.session.id.public_id,
|
|
||||||
session_private_id: session_private_id,
|
session_private_id: session_private_id,
|
||||||
is_impersonated: request.session[:impersonator_id].present?
|
is_impersonated: request.session[:impersonator_id].present?
|
||||||
)
|
)
|
||||||
|
@ -61,20 +52,10 @@ class ActiveSession
|
||||||
lookup_key_name(user.id),
|
lookup_key_name(user.id),
|
||||||
session_private_id
|
session_private_id
|
||||||
)
|
)
|
||||||
|
|
||||||
# We remove the ActiveSession stored by using public_id to avoid
|
|
||||||
# duplicate entries
|
|
||||||
remove_deprecated_active_sessions_with_public_id(redis, user.id, request.session.id.public_id)
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# TODO: remove in 13.7
|
|
||||||
private_class_method def self.remove_deprecated_active_sessions_with_public_id(redis, user_id, rack_session_public_id)
|
|
||||||
redis.srem(lookup_key_name(user_id), rack_session_public_id)
|
|
||||||
redis.del(key_name(user_id, rack_session_public_id))
|
|
||||||
end
|
|
||||||
|
|
||||||
def self.list(user)
|
def self.list(user)
|
||||||
Gitlab::Redis::SharedState.with do |redis|
|
Gitlab::Redis::SharedState.with do |redis|
|
||||||
cleaned_up_lookup_entries(redis, user).map do |raw_session|
|
cleaned_up_lookup_entries(redis, user).map do |raw_session|
|
||||||
|
@ -90,18 +71,6 @@ class ActiveSession
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# TODO: remove in 13.7
|
|
||||||
# After upgrade there might be a duplicate ActiveSessions:
|
|
||||||
# - one with the public_id stored in #session_id
|
|
||||||
# - another with private_id stored in #session_private_id
|
|
||||||
def self.destroy_with_rack_session_id(user, rack_session_id)
|
|
||||||
return unless rack_session_id
|
|
||||||
|
|
||||||
Gitlab::Redis::SharedState.with do |redis|
|
|
||||||
destroy_sessions(redis, user, [rack_session_id.public_id, rack_session_id.private_id])
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def self.destroy_sessions(redis, user, session_ids)
|
def self.destroy_sessions(redis, user, session_ids)
|
||||||
key_names = session_ids.map { |session_id| key_name(user.id, session_id) }
|
key_names = session_ids.map { |session_id| key_name(user.id, session_id) }
|
||||||
|
|
||||||
|
@ -113,19 +82,11 @@ class ActiveSession
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# TODO: remove in 13.7
|
def self.destroy_session(user, session_id)
|
||||||
# After upgrade, .destroy might be called with the session id encrypted
|
|
||||||
# by .public_id.
|
|
||||||
def self.destroy_with_deprecated_encryption(user, session_id)
|
|
||||||
return unless session_id
|
return unless session_id
|
||||||
|
|
||||||
decrypted_session_id = decrypt_public_id(session_id)
|
|
||||||
rack_session_private_id = if decrypted_session_id
|
|
||||||
Rack::Session::SessionId.new(decrypted_session_id).private_id
|
|
||||||
end
|
|
||||||
|
|
||||||
Gitlab::Redis::SharedState.with do |redis|
|
Gitlab::Redis::SharedState.with do |redis|
|
||||||
destroy_sessions(redis, user, [session_id, decrypted_session_id, rack_session_private_id].compact)
|
destroy_sessions(redis, user, [session_id].compact)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -252,11 +213,4 @@ class ActiveSession
|
||||||
|
|
||||||
entries.compact
|
entries.compact
|
||||||
end
|
end
|
||||||
|
|
||||||
# TODO: remove in 13.7
|
|
||||||
private_class_method def self.decrypt_public_id(public_id)
|
|
||||||
Gitlab::CryptoHelper.aes256_gcm_decrypt(public_id)
|
|
||||||
rescue
|
|
||||||
nil
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -40,8 +40,7 @@ Rails.application.configure do |config|
|
||||||
activity = Gitlab::Auth::Activity.new(opts)
|
activity = Gitlab::Auth::Activity.new(opts)
|
||||||
tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)
|
tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)
|
||||||
|
|
||||||
# TODO: switch to `auth.request.session.id.private_id` in 13.7
|
ActiveSession.destroy_session(user, auth.request.session.id.private_id) if auth.request.session.id
|
||||||
ActiveSession.destroy_with_rack_session_id(user, auth.request.session.id)
|
|
||||||
activity.user_session_destroyed!
|
activity.user_session_destroyed!
|
||||||
|
|
||||||
##
|
##
|
||||||
|
|
26
elasticsearch-rails/.gitignore
vendored
26
elasticsearch-rails/.gitignore
vendored
|
@ -1,17 +1,11 @@
|
||||||
*.gem
|
.DS_Store
|
||||||
*.rbc
|
*.log
|
||||||
.bundle
|
tmp/
|
||||||
.config
|
.idea/*
|
||||||
.yardoc
|
|
||||||
Gemfile.lock
|
.yardoc/
|
||||||
InstalledFiles
|
_yardoc/
|
||||||
_yardoc
|
coverage/
|
||||||
coverage
|
rdoc/
|
||||||
doc/
|
doc/
|
||||||
lib/bundler/man
|
Gemfile.lock
|
||||||
pkg
|
|
||||||
rdoc
|
|
||||||
spec/reports
|
|
||||||
test/tmp
|
|
||||||
test/version_tmp
|
|
||||||
tmp
|
|
||||||
|
|
66
elasticsearch-rails/.travis.yml
Normal file
66
elasticsearch-rails/.travis.yml
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
# -----------------------------------------------------------------------------
|
||||||
|
# Configuration file for http://travis-ci.org/elasticsearch/elasticsearch-rails
|
||||||
|
# -----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
dist: trusty
|
||||||
|
|
||||||
|
sudo: required
|
||||||
|
|
||||||
|
language: ruby
|
||||||
|
|
||||||
|
services:
|
||||||
|
- mongodb
|
||||||
|
|
||||||
|
branches:
|
||||||
|
only:
|
||||||
|
- master
|
||||||
|
- travis
|
||||||
|
- 5.x
|
||||||
|
- 6.x
|
||||||
|
- 2.x
|
||||||
|
|
||||||
|
matrix:
|
||||||
|
include:
|
||||||
|
- rvm: 2.2
|
||||||
|
jdk: oraclejdk8
|
||||||
|
env: RAILS_VERSIONS=3.0
|
||||||
|
|
||||||
|
- rvm: 2.3.8
|
||||||
|
jdk: oraclejdk8
|
||||||
|
env: RAILS_VERSIONS=5.0
|
||||||
|
|
||||||
|
- rvm: 2.6.1
|
||||||
|
jdk: oraclejdk8
|
||||||
|
env: RAILS_VERSIONS=4.0,5.0
|
||||||
|
|
||||||
|
- rvm: jruby-9.2.5.0
|
||||||
|
jdk: oraclejdk8
|
||||||
|
env: RAILS_VERSIONS=5.0
|
||||||
|
|
||||||
|
env:
|
||||||
|
global:
|
||||||
|
- ELASTICSEARCH_VERSION=6.4.0
|
||||||
|
- QUIET=true
|
||||||
|
|
||||||
|
|
||||||
|
before_install:
|
||||||
|
- wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELASTICSEARCH_VERSION}.deb
|
||||||
|
- wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELASTICSEARCH_VERSION}.deb.sha512
|
||||||
|
- shasum -a 512 -c elasticsearch-${ELASTICSEARCH_VERSION}.deb.sha512
|
||||||
|
- sudo dpkg -i --force-confnew elasticsearch-${ELASTICSEARCH_VERSION}.deb
|
||||||
|
- sudo service elasticsearch start
|
||||||
|
- gem update --system
|
||||||
|
- gem update bundler
|
||||||
|
- gem --version
|
||||||
|
- bundle version
|
||||||
|
|
||||||
|
install:
|
||||||
|
- bundle install
|
||||||
|
- rake bundle:clean
|
||||||
|
- rake bundle:install
|
||||||
|
|
||||||
|
script:
|
||||||
|
- rake test:all
|
||||||
|
|
||||||
|
notifications:
|
||||||
|
disable: true
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue