New upstream version 13.7.8+ds1

This commit is contained in:
Pirate Praveen 2021-03-05 16:19:46 +05:30
parent 7e5cacce5f
commit 230c9f7a6f
178 changed files with 368 additions and 283 deletions

View file

@ -2,6 +2,17 @@
documentation](doc/development/changelog.md) for instructions on adding your own documentation](doc/development/changelog.md) for instructions on adding your own
entry. entry.
## 13.7.8 (2021-03-04)
### Security (5 changes)
- Bump thrift gem to 0.14.0.
- Allow only owners to manage group variables.
- Do not store marshalled sessions ids in Redis.
- Workhorse: prevent escaped router path traversal.
- Fix XSS vulnerability for swagger file viewer.
## 13.7.7 (2021-02-11) ## 13.7.7 (2021-02-11)
### Security (9 changes) ### Security (9 changes)

View file

@ -1 +1 @@
13.7.7 13.7.8

View file

@ -1 +1 @@
8.58.2 8.58.4

View file

@ -312,6 +312,9 @@ gem 'premailer-rails', '~> 1.10.3'
# LabKit: Tracing and Correlation # LabKit: Tracing and Correlation
gem 'gitlab-labkit', '0.13.3' gem 'gitlab-labkit', '0.13.3'
# Thrift is a dependency of gitlab-labkit, we want a version higher than 0.14.0
# because of https://gitlab.com/gitlab-org/gitlab/-/issues/321900
gem 'thrift', '>= 0.14.0'
# I18n # I18n
gem 'ruby_parser', '~> 3.15', require: false gem 'ruby_parser', '~> 3.15', require: false

View file

@ -1169,7 +1169,7 @@ GEM
rack (>= 1, < 3) rack (>= 1, < 3)
thor (0.20.3) thor (0.20.3)
thread_safe (0.3.6) thread_safe (0.3.6)
thrift (0.13.0) thrift (0.14.0)
tilt (2.0.10) tilt (2.0.10)
timecop (0.9.1) timecop (0.9.1)
timeliness (0.3.10) timeliness (0.3.10)
@ -1516,6 +1516,7 @@ DEPENDENCIES
terser (= 1.0.2) terser (= 1.0.2)
test-prof (~> 0.12.0) test-prof (~> 0.12.0)
thin (~> 1.7.0) thin (~> 1.7.0)
thrift (>= 0.14.0)
timecop (~> 0.9.1) timecop (~> 0.9.1)
toml-rb (~> 1.0.0) toml-rb (~> 1.0.0)
truncato (~> 0.7.11) truncato (~> 0.7.11)

View file

@ -1 +1 @@
13.7.7 13.7.8

View file

@ -2,7 +2,7 @@
module Groups module Groups
class VariablesController < Groups::ApplicationController class VariablesController < Groups::ApplicationController
before_action :authorize_admin_build! before_action :authorize_admin_group!
skip_cross_project_access_check :show, :update skip_cross_project_access_check :show, :update

View file

@ -8,9 +8,8 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController
end end
def destroy def destroy
# params[:id] can be either an Rack::Session::SessionId#private_id # params[:id] can be an Rack::Session::SessionId#private_id
# or an encrypted Rack::Session::SessionId#public_id ActiveSession.destroy_session(current_user, params[:id])
ActiveSession.destroy_with_deprecated_encryption(current_user, params[:id])
current_user.forget_me! current_user.forget_me!
respond_to do |format| respond_to do |format|

View file

@ -24,11 +24,6 @@ module ActiveSessionsHelper
end end
def revoke_session_path(active_session) def revoke_session_path(active_session)
if active_session.session_private_id profile_active_session_path(active_session.session_private_id)
profile_active_session_path(active_session.session_private_id)
else
# TODO: remove in 13.7
profile_active_session_path(active_session.public_id)
end
end end
end end

View file

@ -23,13 +23,6 @@ class ActiveSession
device_type&.titleize device_type&.titleize
end end
# This is not the same as Rack::Session::SessionId#public_id, but we
# need to preserve this for backwards compatibility.
# TODO: remove in 13.7
def public_id
Gitlab::CryptoHelper.aes256_gcm_encrypt(session_id)
end
def self.set(user, request) def self.set(user, request)
Gitlab::Redis::SharedState.with do |redis| Gitlab::Redis::SharedState.with do |redis|
session_private_id = request.session.id.private_id session_private_id = request.session.id.private_id
@ -44,8 +37,6 @@ class ActiveSession
device_type: client.device_type, device_type: client.device_type,
created_at: user.current_sign_in_at || timestamp, created_at: user.current_sign_in_at || timestamp,
updated_at: timestamp, updated_at: timestamp,
# TODO: remove in 13.7
session_id: request.session.id.public_id,
session_private_id: session_private_id, session_private_id: session_private_id,
is_impersonated: request.session[:impersonator_id].present? is_impersonated: request.session[:impersonator_id].present?
) )
@ -61,20 +52,10 @@ class ActiveSession
lookup_key_name(user.id), lookup_key_name(user.id),
session_private_id session_private_id
) )
# We remove the ActiveSession stored by using public_id to avoid
# duplicate entries
remove_deprecated_active_sessions_with_public_id(redis, user.id, request.session.id.public_id)
end end
end end
end end
# TODO: remove in 13.7
private_class_method def self.remove_deprecated_active_sessions_with_public_id(redis, user_id, rack_session_public_id)
redis.srem(lookup_key_name(user_id), rack_session_public_id)
redis.del(key_name(user_id, rack_session_public_id))
end
def self.list(user) def self.list(user)
Gitlab::Redis::SharedState.with do |redis| Gitlab::Redis::SharedState.with do |redis|
cleaned_up_lookup_entries(redis, user).map do |raw_session| cleaned_up_lookup_entries(redis, user).map do |raw_session|
@ -90,18 +71,6 @@ class ActiveSession
end end
end end
# TODO: remove in 13.7
# After upgrade there might be a duplicate ActiveSessions:
# - one with the public_id stored in #session_id
# - another with private_id stored in #session_private_id
def self.destroy_with_rack_session_id(user, rack_session_id)
return unless rack_session_id
Gitlab::Redis::SharedState.with do |redis|
destroy_sessions(redis, user, [rack_session_id.public_id, rack_session_id.private_id])
end
end
def self.destroy_sessions(redis, user, session_ids) def self.destroy_sessions(redis, user, session_ids)
key_names = session_ids.map { |session_id| key_name(user.id, session_id) } key_names = session_ids.map { |session_id| key_name(user.id, session_id) }
@ -113,19 +82,11 @@ class ActiveSession
end end
end end
# TODO: remove in 13.7 def self.destroy_session(user, session_id)
# After upgrade, .destroy might be called with the session id encrypted
# by .public_id.
def self.destroy_with_deprecated_encryption(user, session_id)
return unless session_id return unless session_id
decrypted_session_id = decrypt_public_id(session_id)
rack_session_private_id = if decrypted_session_id
Rack::Session::SessionId.new(decrypted_session_id).private_id
end
Gitlab::Redis::SharedState.with do |redis| Gitlab::Redis::SharedState.with do |redis|
destroy_sessions(redis, user, [session_id, decrypted_session_id, rack_session_private_id].compact) destroy_sessions(redis, user, [session_id].compact)
end end
end end
@ -252,11 +213,4 @@ class ActiveSession
entries.compact entries.compact
end end
# TODO: remove in 13.7
private_class_method def self.decrypt_public_id(public_id)
Gitlab::CryptoHelper.aes256_gcm_decrypt(public_id)
rescue
nil
end
end end

View file

@ -40,8 +40,7 @@ Rails.application.configure do |config|
activity = Gitlab::Auth::Activity.new(opts) activity = Gitlab::Auth::Activity.new(opts)
tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth) tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)
# TODO: switch to `auth.request.session.id.private_id` in 13.7 ActiveSession.destroy_session(user, auth.request.session.id.private_id) if auth.request.session.id
ActiveSession.destroy_with_rack_session_id(user, auth.request.session.id)
activity.user_session_destroyed! activity.user_session_destroyed!
## ##

View file

@ -1,17 +1,11 @@
*.gem .DS_Store
*.rbc *.log
.bundle tmp/
.config .idea/*
.yardoc
Gemfile.lock .yardoc/
InstalledFiles _yardoc/
_yardoc coverage/
coverage rdoc/
doc/ doc/
lib/bundler/man Gemfile.lock
pkg
rdoc
spec/reports
test/tmp
test/version_tmp
tmp

View file

@ -0,0 +1,66 @@
# -----------------------------------------------------------------------------
# Configuration file for http://travis-ci.org/elasticsearch/elasticsearch-rails
# -----------------------------------------------------------------------------
dist: trusty
sudo: required
language: ruby
services:
- mongodb
branches:
only:
- master
- travis
- 5.x
- 6.x
- 2.x
matrix:
include:
- rvm: 2.2
jdk: oraclejdk8
env: RAILS_VERSIONS=3.0
- rvm: 2.3.8
jdk: oraclejdk8
env: RAILS_VERSIONS=5.0
- rvm: 2.6.1
jdk: oraclejdk8
env: RAILS_VERSIONS=4.0,5.0
- rvm: jruby-9.2.5.0
jdk: oraclejdk8
env: RAILS_VERSIONS=5.0
env:
global:
- ELASTICSEARCH_VERSION=6.4.0
- QUIET=true
before_install:
- wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELASTICSEARCH_VERSION}.deb
- wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELASTICSEARCH_VERSION}.deb.sha512
- shasum -a 512 -c elasticsearch-${ELASTICSEARCH_VERSION}.deb.sha512
- sudo dpkg -i --force-confnew elasticsearch-${ELASTICSEARCH_VERSION}.deb
- sudo service elasticsearch start
- gem update --system
- gem update bundler
- gem --version
- bundle version
install:
- bundle install
- rake bundle:clean
- rake bundle:install
script:
- rake test:all
notifications:
disable: true

Some files were not shown because too many files have changed in this diff Show more