New upstream version 13.7.8+ds1
This commit is contained in:
parent
7e5cacce5f
commit
230c9f7a6f
178 changed files with 368 additions and 283 deletions
11
CHANGELOG.md
11
CHANGELOG.md
|
@ -2,6 +2,17 @@
|
|||
documentation](doc/development/changelog.md) for instructions on adding your own
|
||||
entry.
|
||||
|
||||
## 13.7.8 (2021-03-04)
|
||||
|
||||
### Security (5 changes)
|
||||
|
||||
- Bump thrift gem to 0.14.0.
|
||||
- Allow only owners to manage group variables.
|
||||
- Do not store marshalled sessions ids in Redis.
|
||||
- Workhorse: prevent escaped router path traversal.
|
||||
- Fix XSS vulnerability for swagger file viewer.
|
||||
|
||||
|
||||
## 13.7.7 (2021-02-11)
|
||||
|
||||
### Security (9 changes)
|
||||
|
|
|
@ -1 +1 @@
|
|||
13.7.7
|
||||
13.7.8
|
|
@ -1 +1 @@
|
|||
8.58.2
|
||||
8.58.4
|
||||
|
|
3
Gemfile
3
Gemfile
|
@ -312,6 +312,9 @@ gem 'premailer-rails', '~> 1.10.3'
|
|||
|
||||
# LabKit: Tracing and Correlation
|
||||
gem 'gitlab-labkit', '0.13.3'
|
||||
# Thrift is a dependency of gitlab-labkit, we want a version higher than 0.14.0
|
||||
# because of https://gitlab.com/gitlab-org/gitlab/-/issues/321900
|
||||
gem 'thrift', '>= 0.14.0'
|
||||
|
||||
# I18n
|
||||
gem 'ruby_parser', '~> 3.15', require: false
|
||||
|
|
|
@ -1169,7 +1169,7 @@ GEM
|
|||
rack (>= 1, < 3)
|
||||
thor (0.20.3)
|
||||
thread_safe (0.3.6)
|
||||
thrift (0.13.0)
|
||||
thrift (0.14.0)
|
||||
tilt (2.0.10)
|
||||
timecop (0.9.1)
|
||||
timeliness (0.3.10)
|
||||
|
@ -1516,6 +1516,7 @@ DEPENDENCIES
|
|||
terser (= 1.0.2)
|
||||
test-prof (~> 0.12.0)
|
||||
thin (~> 1.7.0)
|
||||
thrift (>= 0.14.0)
|
||||
timecop (~> 0.9.1)
|
||||
toml-rb (~> 1.0.0)
|
||||
truncato (~> 0.7.11)
|
||||
|
|
2
VERSION
2
VERSION
|
@ -1 +1 @@
|
|||
13.7.7
|
||||
13.7.8
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
module Groups
|
||||
class VariablesController < Groups::ApplicationController
|
||||
before_action :authorize_admin_build!
|
||||
before_action :authorize_admin_group!
|
||||
|
||||
skip_cross_project_access_check :show, :update
|
||||
|
||||
|
|
|
@ -8,9 +8,8 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController
|
|||
end
|
||||
|
||||
def destroy
|
||||
# params[:id] can be either an Rack::Session::SessionId#private_id
|
||||
# or an encrypted Rack::Session::SessionId#public_id
|
||||
ActiveSession.destroy_with_deprecated_encryption(current_user, params[:id])
|
||||
# params[:id] can be an Rack::Session::SessionId#private_id
|
||||
ActiveSession.destroy_session(current_user, params[:id])
|
||||
current_user.forget_me!
|
||||
|
||||
respond_to do |format|
|
||||
|
|
|
@ -24,11 +24,6 @@ module ActiveSessionsHelper
|
|||
end
|
||||
|
||||
def revoke_session_path(active_session)
|
||||
if active_session.session_private_id
|
||||
profile_active_session_path(active_session.session_private_id)
|
||||
else
|
||||
# TODO: remove in 13.7
|
||||
profile_active_session_path(active_session.public_id)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -23,13 +23,6 @@ class ActiveSession
|
|||
device_type&.titleize
|
||||
end
|
||||
|
||||
# This is not the same as Rack::Session::SessionId#public_id, but we
|
||||
# need to preserve this for backwards compatibility.
|
||||
# TODO: remove in 13.7
|
||||
def public_id
|
||||
Gitlab::CryptoHelper.aes256_gcm_encrypt(session_id)
|
||||
end
|
||||
|
||||
def self.set(user, request)
|
||||
Gitlab::Redis::SharedState.with do |redis|
|
||||
session_private_id = request.session.id.private_id
|
||||
|
@ -44,8 +37,6 @@ class ActiveSession
|
|||
device_type: client.device_type,
|
||||
created_at: user.current_sign_in_at || timestamp,
|
||||
updated_at: timestamp,
|
||||
# TODO: remove in 13.7
|
||||
session_id: request.session.id.public_id,
|
||||
session_private_id: session_private_id,
|
||||
is_impersonated: request.session[:impersonator_id].present?
|
||||
)
|
||||
|
@ -61,20 +52,10 @@ class ActiveSession
|
|||
lookup_key_name(user.id),
|
||||
session_private_id
|
||||
)
|
||||
|
||||
# We remove the ActiveSession stored by using public_id to avoid
|
||||
# duplicate entries
|
||||
remove_deprecated_active_sessions_with_public_id(redis, user.id, request.session.id.public_id)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# TODO: remove in 13.7
|
||||
private_class_method def self.remove_deprecated_active_sessions_with_public_id(redis, user_id, rack_session_public_id)
|
||||
redis.srem(lookup_key_name(user_id), rack_session_public_id)
|
||||
redis.del(key_name(user_id, rack_session_public_id))
|
||||
end
|
||||
|
||||
def self.list(user)
|
||||
Gitlab::Redis::SharedState.with do |redis|
|
||||
cleaned_up_lookup_entries(redis, user).map do |raw_session|
|
||||
|
@ -90,18 +71,6 @@ class ActiveSession
|
|||
end
|
||||
end
|
||||
|
||||
# TODO: remove in 13.7
|
||||
# After upgrade there might be a duplicate ActiveSessions:
|
||||
# - one with the public_id stored in #session_id
|
||||
# - another with private_id stored in #session_private_id
|
||||
def self.destroy_with_rack_session_id(user, rack_session_id)
|
||||
return unless rack_session_id
|
||||
|
||||
Gitlab::Redis::SharedState.with do |redis|
|
||||
destroy_sessions(redis, user, [rack_session_id.public_id, rack_session_id.private_id])
|
||||
end
|
||||
end
|
||||
|
||||
def self.destroy_sessions(redis, user, session_ids)
|
||||
key_names = session_ids.map { |session_id| key_name(user.id, session_id) }
|
||||
|
||||
|
@ -113,19 +82,11 @@ class ActiveSession
|
|||
end
|
||||
end
|
||||
|
||||
# TODO: remove in 13.7
|
||||
# After upgrade, .destroy might be called with the session id encrypted
|
||||
# by .public_id.
|
||||
def self.destroy_with_deprecated_encryption(user, session_id)
|
||||
def self.destroy_session(user, session_id)
|
||||
return unless session_id
|
||||
|
||||
decrypted_session_id = decrypt_public_id(session_id)
|
||||
rack_session_private_id = if decrypted_session_id
|
||||
Rack::Session::SessionId.new(decrypted_session_id).private_id
|
||||
end
|
||||
|
||||
Gitlab::Redis::SharedState.with do |redis|
|
||||
destroy_sessions(redis, user, [session_id, decrypted_session_id, rack_session_private_id].compact)
|
||||
destroy_sessions(redis, user, [session_id].compact)
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -252,11 +213,4 @@ class ActiveSession
|
|||
|
||||
entries.compact
|
||||
end
|
||||
|
||||
# TODO: remove in 13.7
|
||||
private_class_method def self.decrypt_public_id(public_id)
|
||||
Gitlab::CryptoHelper.aes256_gcm_decrypt(public_id)
|
||||
rescue
|
||||
nil
|
||||
end
|
||||
end
|
||||
|
|
|
@ -40,8 +40,7 @@ Rails.application.configure do |config|
|
|||
activity = Gitlab::Auth::Activity.new(opts)
|
||||
tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)
|
||||
|
||||
# TODO: switch to `auth.request.session.id.private_id` in 13.7
|
||||
ActiveSession.destroy_with_rack_session_id(user, auth.request.session.id)
|
||||
ActiveSession.destroy_session(user, auth.request.session.id.private_id) if auth.request.session.id
|
||||
activity.user_session_destroyed!
|
||||
|
||||
##
|
||||
|
|
26
elasticsearch-rails/.gitignore
vendored
26
elasticsearch-rails/.gitignore
vendored
|
@ -1,17 +1,11 @@
|
|||
*.gem
|
||||
*.rbc
|
||||
.bundle
|
||||
.config
|
||||
.yardoc
|
||||
Gemfile.lock
|
||||
InstalledFiles
|
||||
_yardoc
|
||||
coverage
|
||||
.DS_Store
|
||||
*.log
|
||||
tmp/
|
||||
.idea/*
|
||||
|
||||
.yardoc/
|
||||
_yardoc/
|
||||
coverage/
|
||||
rdoc/
|
||||
doc/
|
||||
lib/bundler/man
|
||||
pkg
|
||||
rdoc
|
||||
spec/reports
|
||||
test/tmp
|
||||
test/version_tmp
|
||||
tmp
|
||||
Gemfile.lock
|
||||
|
|
66
elasticsearch-rails/.travis.yml
Normal file
66
elasticsearch-rails/.travis.yml
Normal file
|
@ -0,0 +1,66 @@
|
|||
# -----------------------------------------------------------------------------
|
||||
# Configuration file for http://travis-ci.org/elasticsearch/elasticsearch-rails
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
dist: trusty
|
||||
|
||||
sudo: required
|
||||
|
||||
language: ruby
|
||||
|
||||
services:
|
||||
- mongodb
|
||||
|
||||
branches:
|
||||
only:
|
||||
- master
|
||||
- travis
|
||||
- 5.x
|
||||
- 6.x
|
||||
- 2.x
|
||||
|
||||
matrix:
|
||||
include:
|
||||
- rvm: 2.2
|
||||
jdk: oraclejdk8
|
||||
env: RAILS_VERSIONS=3.0
|
||||
|
||||
- rvm: 2.3.8
|
||||
jdk: oraclejdk8
|
||||
env: RAILS_VERSIONS=5.0
|
||||
|
||||
- rvm: 2.6.1
|
||||
jdk: oraclejdk8
|
||||
env: RAILS_VERSIONS=4.0,5.0
|
||||
|
||||
- rvm: jruby-9.2.5.0
|
||||
jdk: oraclejdk8
|
||||
env: RAILS_VERSIONS=5.0
|
||||
|
||||
env:
|
||||
global:
|
||||
- ELASTICSEARCH_VERSION=6.4.0
|
||||
- QUIET=true
|
||||
|
||||
|
||||
before_install:
|
||||
- wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELASTICSEARCH_VERSION}.deb
|
||||
- wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELASTICSEARCH_VERSION}.deb.sha512
|
||||
- shasum -a 512 -c elasticsearch-${ELASTICSEARCH_VERSION}.deb.sha512
|
||||
- sudo dpkg -i --force-confnew elasticsearch-${ELASTICSEARCH_VERSION}.deb
|
||||
- sudo service elasticsearch start
|
||||
- gem update --system
|
||||
- gem update bundler
|
||||
- gem --version
|
||||
- bundle version
|
||||
|
||||
install:
|
||||
- bundle install
|
||||
- rake bundle:clean
|
||||
- rake bundle:install
|
||||
|
||||
script:
|
||||
- rake test:all
|
||||
|
||||
notifications:
|
||||
disable: true
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue