realaravinth/debian-mirror-gitlab
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

New upstream version 10.7.5+dfsg

Browse source
This commit is contained in:
Pirate Praveen 2018-06-03 19:52:53 +05:30
parent dd13d6ff10
commit 2d79e65d03
21 changed files with 168 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
CHANGELOG.md
View file

@ -2,6 +2,22 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
## 10.7.5 (2018-05-28)
### Security (3 changes)
- Prevent user passwords from being changed without providing the previous password.
- Fix API to remove deploy key from project instead of deleting it entirely.
- Fixed bug that allowed importing arbitrary project attributes.
## 10.7.4 (2018-05-21)
### Fixed (1 change)
- Fix error when deleting an empty list of refs.
## 10.7.3 (2018-05-02)
### Fixed (8 changes)

2
Gemfile
View file

@ -421,7 +421,7 @@ end
# Gitaly GRPC client
gem 'gitaly-proto', '~> 0.96.0', require: 'gitaly'
gem 'grpc', '~> 1.10.0'
gem 'grpc', '~> 1.11.0'
# Locked until https://github.com/google/protobuf/issues/4210 is closed
gem 'google-protobuf', '= 3.5.1'

4
Gemfile.lock
View file

@ -374,7 +374,7 @@ GEM
rake
grape_logging (1.7.0)
grape
grpc (1.10.0)
grpc (1.11.0)
google-protobuf (~> 3.1)
googleapis-common-protos-types (~> 1.0.0)
googleauth (>= 0.5.1, < 0.7)
@ -1074,7 +1074,7 @@ DEPENDENCIES
grape-entity (~> 0.6.0)
grape-route-helpers (~> 2.1.0)
grape_logging (~> 1.7)
grpc (~> 1.10.0)
grpc (~> 1.11.0)
haml_lint (~> 0.26.0)
hamlit (~> 2.6.1)
hashie-forbidden_attributes

2
VERSION
View file

@ -1 +1 @@
10.7.3
10.7.5

2
app/controllers/profiles_controller.rb
View file

@ -93,8 +93,6 @@ class ProfilesController < Profiles::ApplicationController
:linkedin,
:location,
:name,
:password,
:password_confirmation,
:public_email,
:skype,
:twitter,

6
lib/api/deploy_keys.rb
View file

@ -148,10 +148,10 @@ module API
requires :key_id, type: Integer, desc: 'The ID of the deploy key'
end
delete ":id/deploy_keys/:key_id" do
key = user_project.deploy_keys.find(params[:key_id])
not_found!('Deploy Key') unless key
deploy_key_project = user_project.deploy_keys_projects.find_by(deploy_key_id: params[:key_id])
not_found!('Deploy Key') unless deploy_key_project
destroy_conditionally!(key)
destroy_conditionally!(deploy_key_project)
end
end
end

2
lib/gitlab/git/repository.rb
View file

@ -2339,7 +2339,7 @@ module Gitlab
end
def gitaly_delete_refs(*ref_names)
gitaly_ref_client.delete_refs(refs: ref_names)
gitaly_ref_client.delete_refs(refs: ref_names) if ref_names.any?
end
def rugged_remove_remote(remote_name)

11
lib/gitlab/import_export/attribute_cleaner.rb
View file

@ -7,14 +7,15 @@ module Gitlab
new(*args).clean
end
def initialize(relation_hash:, relation_class:)
def initialize(relation_hash:, relation_class:, excluded_keys: [])
@relation_hash = relation_hash
@relation_class = relation_class
@excluded_keys = excluded_keys
end
def clean
@relation_hash.reject do |key, _value|
prohibited_key?(key) || !@relation_class.attribute_method?(key)
prohibited_key?(key) || !@relation_class.attribute_method?(key) || excluded_key?(key)
end.except('id')
end
@ -23,6 +24,12 @@ module Gitlab
def prohibited_key?(key)
key.end_with?('_id') && !ALLOWED_REFERENCES.include?(key)
end
def excluded_key?(key)
return false if @excluded_keys.empty?
@excluded_keys.include?(key)
end
end
end
end

4
lib/gitlab/import_export/attributes_finder.rb
View file

@ -32,6 +32,10 @@ module Gitlab
@methods[key].nil? ? {} : { methods: @methods[key] }
end
def find_excluded_keys(klass_name)
@excluded_attributes[klass_name.to_sym]&.map(&:to_s) || []
end
private
def find_attributes_only(value)

2
lib/gitlab/import_export/import_export.yml
View file

@ -97,8 +97,6 @@ excluded_attributes:
- :import_jid
- :created_at
- :updated_at
- :import_jid
- :import_jid
- :id
- :star_count
- :last_activity_at

23
lib/gitlab/import_export/project_tree_restorer.rb
View file

@ -88,16 +88,18 @@ module Gitlab
end
def project_params
@project_params ||= json_params.merge(override_params)
@project_params ||= begin
attrs = json_params.merge(override_params)
# Cleaning all imported and overridden params
Gitlab::ImportExport::AttributeCleaner.clean(relation_hash: attrs,
relation_class: Project,
excluded_keys: excluded_keys_for_relation(:project))
end
end
def override_params
return {} unless params = @project.import_data&.data&.fetch('override_params', nil)
@override_params ||= params.select do |key, _value|
Project.column_names.include?(key.to_s) &&
!reader.project_tree[:except].include?(key.to_sym)
end
@override_params ||= @project.import_data&.data&.fetch('override_params', nil) || {}
end
def json_params
@ -171,7 +173,8 @@ module Gitlab
relation_hash: parsed_relation_hash(relation_hash, relation.to_sym),
members_mapper: members_mapper,
user: @user,
project: @restored_project)
project: @restored_project,
excluded_keys: excluded_keys_for_relation(relation))
end.compact
relation_hash_list.is_a?(Array) ? relation_array : relation_array.first
@ -192,6 +195,10 @@ module Gitlab
def reader
@reader ||= Gitlab::ImportExport::Reader.new(shared: @shared)
end
def excluded_keys_for_relation(relation)
@reader.attributes_finder.find_excluded_keys(relation)
end
end
end
end

2
lib/gitlab/import_export/reader.rb
View file

@ -1,7 +1,7 @@
module Gitlab
module ImportExport
class Reader
attr_reader :tree
attr_reader :tree, :attributes_finder
def initialize(shared:)
@shared = shared

10
lib/gitlab/import_export/relation_factory.rb
View file

@ -35,13 +35,21 @@ module Gitlab
new(*args).create
end
def initialize(relation_sym:, relation_hash:, members_mapper:, user:, project:)
def initialize(relation_sym:, relation_hash:, members_mapper:, user:, project:, excluded_keys: [])
@relation_name = OVERRIDES[relation_sym] || relation_sym
@relation_hash = relation_hash.except('noteable_id')
@members_mapper = members_mapper
@user = user
@project = project
@imported_object_retries = 0
# Remove excluded keys from relation_hash
# We don't do this in the parsed_relation_hash because of the 'transformed attributes'
# For example, MergeRequestDiffFiles exports its diff attribute as utf8_diff. Then,
# in the create method that attribute is renamed to diff. And because diff is an excluded key,
# if we clean the excluded keys in the parsed_relation_hash, it will be removed
# from the object attributes and the export will fail.
@relation_hash.except!(*excluded_keys)
end
# Creates an object from an actual model with name "relation_sym" with params from

13
spec/controllers/profiles_controller_spec.rb
View file

@ -3,6 +3,19 @@ require('spec_helper')
describe ProfilesController, :request_store do
let(:user) { create(:user) }
describe 'POST update' do
it 'does not update password' do
sign_in(user)
expect do
post :update,
user: { password: 'hello12345', password_confirmation: 'hello12345' }
end.not_to change { user.reload.encrypted_password }
expect(response.status).to eq(302)
end
end
describe 'PUT update' do
it 'allows an email update from a user without an external email address' do
sign_in(user)

4
spec/lib/gitlab/git/repository_spec.rb
View file

@ -600,6 +600,10 @@ describe Gitlab::Git::Repository, seed_helper: true do
end
end
it 'does not fail when deleting an empty list of refs' do
expect { repo.delete_refs(*[]) }.not_to raise_error
end
it 'raises an error if it failed' do
expect { repo.delete_refs('refs\heads\fix') }.to raise_error(Gitlab::Git::Repository::GitError)
end

29
spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
View file

@ -15,7 +15,10 @@ describe Gitlab::ImportExport::AttributeCleaner do
'project_id' => 99,
'user_id' => 99,
'random_id_in_the_middle' => 99,
'notid' => 99
'notid' => 99,
'import_source' => 'whatever',
'import_type' => 'whatever',
'non_existent_attr' => 'whatever'
}
end
@ -28,10 +31,30 @@ describe Gitlab::ImportExport::AttributeCleaner do
}
end
let(:excluded_keys) { %w[import_source import_type] }
subject { described_class.clean(relation_hash: unsafe_hash, relation_class: relation_class, excluded_keys: excluded_keys) }
before do
allow(relation_class).to receive(:attribute_method?).and_return(true)
allow(relation_class).to receive(:attribute_method?).with('non_existent_attr').and_return(false)
end
it 'removes unwanted attributes from the hash' do
# allow(relation_class).to receive(:attribute_method?).and_return(true)
expect(subject).to eq(post_safe_hash)
end
it 'removes attributes not present in relation_class' do
expect(subject.keys).not_to include 'non_existent_attr'
end
it 'removes excluded keys from the hash' do
expect(subject.keys).not_to include excluded_keys
end
it 'does not remove excluded key if not listed' do
parsed_hash = described_class.clean(relation_hash: unsafe_hash, relation_class: relation_class)
expect(parsed_hash).to eq(post_safe_hash)
expect(parsed_hash.keys).to eq post_safe_hash.keys + excluded_keys
end
end

2
spec/lib/gitlab/import_export/project.json
View file

@ -1,5 +1,7 @@
{
"description": "Nisi et repellendus ut enim quo accusamus vel magnam.",
"import_type": "gitlab_project",
"creator_id": 123,
"visibility_level": 10,
"archived": false,
"labels": [

2
spec/lib/gitlab/import_export/project.light.json
View file

@ -1,5 +1,7 @@
{
"description": "Nisi et repellendus ut enim quo accusamus vel magnam.",
"import_type": "gitlab_project",
"creator_id": 123,
"visibility_level": 10,
"archived": false,
"milestones": [

9
spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
View file

@ -23,6 +23,10 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
allow_any_instance_of(Gitlab::Git::Repository).to receive(:create_branch)
project_tree_restorer = described_class.new(user: @user, shared: @shared, project: @project)
expect(Gitlab::ImportExport::RelationFactory).to receive(:create).with(hash_including(excluded_keys: ['whatever'])).and_call_original.at_least(:once)
allow(project_tree_restorer).to receive(:excluded_keys_for_relation).and_return(['whatever'])
@restored_project_json = project_tree_restorer.restore
end
end
@ -248,6 +252,11 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
expect(labels.where(type: "ProjectLabel").count).to eq(results.fetch(:first_issue_labels, 0))
expect(labels.where(type: "ProjectLabel").where.not(group_id: nil).count).to eq(0)
end
it 'does not set params that are excluded from import_export settings' do
expect(project.import_type).to be_nil
expect(project.creator_id).not_to eq 123
end
end
shared_examples 'restores group correctly' do |**results|

12
spec/lib/gitlab/import_export/relation_factory_spec.rb
View file

@ -4,12 +4,14 @@ describe Gitlab::ImportExport::RelationFactory do
let(:project) { create(:project) }
let(:members_mapper) { double('members_mapper').as_null_object }
let(:user) { create(:admin) }
let(:excluded_keys) { [] }
let(:created_object) do
described_class.create(relation_sym: relation_sym,
relation_hash: relation_hash,
members_mapper: members_mapper,
user: user,
project: project)
project: project,
excluded_keys: excluded_keys)
end
context 'hook object' do
@ -67,6 +69,14 @@ describe Gitlab::ImportExport::RelationFactory do
expect(created_object.service_id).not_to eq(service_id)
end
end
context 'excluded attributes' do
let(:excluded_keys) { %w[url] }
it 'are removed from the imported object' do
expect(created_object.url).to be_nil
end
end
end
# Mocks an ActiveRecordish object with the dodgy columns

40
spec/requests/api/deploy_keys_spec.rb
View file

@ -171,7 +171,7 @@ describe API::DeployKeys do
deploy_key
end
it 'deletes existing key' do
it 'removes existing key from project' do
expect do
delete api("/projects/#{project.id}/deploy_keys/#{deploy_key.id}", admin)
@ -179,6 +179,44 @@ describe API::DeployKeys do
end.to change { project.deploy_keys.count }.by(-1)
end
context 'when the deploy key is public' do
it 'does not delete the deploy key' do
expect do
delete api("/projects/#{project.id}/deploy_keys/#{deploy_key.id}", admin)
expect(response).to have_gitlab_http_status(204)
end.not_to change { DeployKey.count }
end
end
context 'when the deploy key is not public' do
let!(:deploy_key) { create(:deploy_key, public: false) }
context 'when the deploy key is only used by this project' do
it 'deletes the deploy key' do
expect do
delete api("/projects/#{project.id}/deploy_keys/#{deploy_key.id}", admin)
expect(response).to have_gitlab_http_status(204)
end.to change { DeployKey.count }.by(-1)
end
end
context 'when the deploy key is used by other projects' do
before do
create(:deploy_keys_project, project: project2, deploy_key: deploy_key)
end
it 'does not delete the deploy key' do
expect do
delete api("/projects/#{project.id}/deploy_keys/#{deploy_key.id}", admin)
expect(response).to have_gitlab_http_status(204)
end.not_to change { DeployKey.count }
end
end
end
it 'returns 404 Not Found with invalid ID' do
delete api("/projects/#{project.id}/deploy_keys/404", admin)