From d3fc7f9250161a18cb56923a6170c860b9746ca7 Mon Sep 17 00:00:00 2001 From: Pirate Praveen Date: Wed, 27 Jun 2018 16:04:02 +0530 Subject: [PATCH 1/4] New upstream version 10.7.6+dfsg --- CHANGELOG.md | 16 +++ Gemfile | 15 +- Gemfile.lock | 42 +++--- VERSION | 2 +- app/controllers/application_controller.rb | 1 + .../concerns/issuable_collections.rb | 2 +- app/controllers/dashboard/todos_controller.rb | 2 +- .../groups/application_controller.rb | 2 +- app/controllers/groups_controller.rb | 2 +- .../projects/application_controller.rb | 2 +- app/controllers/projects_controller.rb | 2 +- app/controllers/users_controller.rb | 2 +- app/finders/user_recent_events_finder.rb | 2 +- app/helpers/blob_helper.rb | 2 +- app/helpers/diff_helper.rb | 2 +- app/helpers/projects_helper.rb | 3 +- app/helpers/safe_params_helper.rb | 11 ++ app/views/dashboard/issues.atom.builder | 2 +- app/views/dashboard/issues.html.haml | 4 +- app/views/groups/issues.atom.builder | 2 +- app/views/groups/issues.html.haml | 2 +- app/views/peek/_bar.html.haml | 2 +- app/views/projects/blob/_viewer.html.haml | 2 +- app/views/projects/diffs/_collapsed.html.haml | 2 +- app/views/projects/diffs/_diffs.html.haml | 2 +- app/views/projects/graphs/charts.html.haml | 2 +- app/views/projects/issues/_nav_btns.html.haml | 2 +- app/views/projects/issues/index.atom.builder | 2 +- app/views/projects/issues/index.html.haml | 2 +- .../creations/_new_submit.html.haml | 8 +- config/initializers/gollum.rb | 133 ------------------ lib/banzai/filter/sanitization_filter.rb | 3 +- lib/banzai/filter/table_of_contents_filter.rb | 2 +- spec/features/projects/graph_spec.rb | 20 ++- .../finders/user_recent_events_finder_spec.rb | 45 ++++-- spec/helpers/projects_helper_spec.rb | 9 +- spec/initializers/gollum_spec.rb | 62 -------- .../banzai/filter/sanitization_filter_spec.rb | 12 +- .../filter/table_of_contents_filter_spec.rb | 9 ++ 39 files changed, 167 insertions(+), 272 deletions(-) create mode 100644 app/helpers/safe_params_helper.rb delete mode 100644 spec/initializers/gollum_spec.rb diff --git a/CHANGELOG.md b/CHANGELOG.md index 78b351bde4..f0300f4dd2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,22 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 10.7.6 (2018-06-21) + +### Security (6 changes) + +- Fix XSS vulnerability for table of content generation. +- Update sanitize gem to 4.6.5 to fix HTML injection vulnerability. +- HTML escape branch name in project graphs page. +- HTML escape the name of the user in ProjectsHelper#link_to_member. +- Don't show events from internal projects for anonymous users in public feed. +- XSS fix to use safe_params instead of params in url_for helpers. + +### Other (1 change) + +- Replacing gollum libraries for gitlab custom libs. !18343 + + ## 10.7.5 (2018-05-28) ### Security (3 changes) diff --git a/Gemfile b/Gemfile index 4d366bb885..b4bde1f726 100644 --- a/Gemfile +++ b/Gemfile @@ -81,16 +81,9 @@ gem 'net-ldap' # Git Wiki # Required manually in config/initializers/gollum.rb to control load order -# Before updating this gem, check if -# https://github.com/gollum/gollum-lib/pull/292 has been merged. -# If it has, then remove the monkey patch for update_page, rename_page and raw_data_in_committer -# in config/initializers/gollum.rb -gem 'gollum-lib', '~> 4.2', require: false +gem 'gitlab-gollum-lib', '~> 4.2' -# Before updating this gem, check if -# https://github.com/gollum/rugged_adapter/pull/28 has been merged. -# If it has, then remove the monkey patch for tree_entry in config/initializers/gollum.rb -gem 'gollum-rugged_adapter', '~> 0.4.4', require: false +gem 'gitlab-gollum-rugged_adapter', '~> 0.4.4', require: false # Language detection gem 'github-linguist', '~> 5.3.3', require: 'linguist' @@ -146,7 +139,7 @@ gem 'creole', '~> 0.5.0' gem 'wikicloth', '0.8.1' gem 'asciidoctor', '~> 1.5.6' gem 'asciidoctor-plantuml', '0.0.8' -gem 'rouge', '~> 2.0' +gem 'rouge', '~> 3.1' gem 'truncato', '~> 0.7.9' gem 'bootstrap_form', '~> 2.7.0' gem 'nokogiri', '~> 1.8.2' @@ -226,7 +219,7 @@ gem 'kubeclient', '~> 3.0' gem 'd3_rails', '~> 3.5.0' # Sanitize user input -gem 'sanitize', '~> 2.0' +gem 'sanitize', '~> 4.6.5' gem 'babosa', '~> 1.0.2' # Sanitizes SVG input diff --git a/Gemfile.lock b/Gemfile.lock index 3c4d30c306..5f3d6f8768 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -298,11 +298,22 @@ GEM escape_utils (~> 1.1.0) mime-types (>= 1.19) rugged (>= 0.25.1) - github-markup (1.6.1) + github-markup (1.7.0) gitlab-flowdock-git-hook (1.0.1) flowdock (~> 0.7) gitlab-grit (>= 2.4.1) multi_json + gitlab-gollum-lib (4.2.7.5) + gemojione (~> 3.2) + github-markup (~> 1.6) + gollum-grit_adapter (~> 1.0) + nokogiri (>= 1.6.1, < 2.0) + rouge (~> 3.1) + sanitize (~> 4.6.4) + stringex (~> 2.6) + gitlab-gollum-rugged_adapter (0.4.4) + mime-types (>= 1.15) + rugged (~> 0.25) gitlab-grit (2.8.2) charlock_holmes (~> 0.6) diff-lcs (~> 1.1) @@ -322,17 +333,6 @@ GEM activesupport (>= 4.2.0) gollum-grit_adapter (1.0.1) gitlab-grit (~> 2.7, >= 2.7.1) - gollum-lib (4.2.7) - gemojione (~> 3.2) - github-markup (~> 1.6) - gollum-grit_adapter (~> 1.0) - nokogiri (>= 1.6.1, < 2.0) - rouge (~> 2.1) - sanitize (~> 2.1) - stringex (~> 2.6) - gollum-rugged_adapter (0.4.4) - mime-types (>= 1.15) - rugged (~> 0.25) gon (6.1.0) actionpack (>= 3.0) json @@ -517,6 +517,8 @@ GEM netrc (0.11.0) nokogiri (1.8.2) mini_portile2 (~> 2.3.0) + nokogumbo (1.5.0) + nokogiri numerizer (0.1.1) oauth (0.5.4) oauth2 (1.4.0) @@ -744,7 +746,7 @@ GEM retriable (3.1.1) rinku (2.0.0) rotp (2.1.2) - rouge (2.2.1) + rouge (3.1.1) rqrcode (0.7.0) chunky_png rqrcode-rails3 (0.1.7) @@ -812,8 +814,10 @@ GEM et-orbi (~> 1.0) rugged (0.27.0) safe_yaml (1.0.4) - sanitize (2.1.0) + sanitize (4.6.5) + crass (~> 1.0.2) nokogiri (>= 1.4.4) + nokogumbo (~> 1.4) sass (3.5.5) sass-listen (~> 4.0.0) sass-listen (4.0.0) @@ -904,7 +908,7 @@ GEM state_machines-activerecord (0.5.1) activerecord (>= 4.1, < 6.0) state_machines-activemodel (>= 0.5.0) - stringex (2.7.1) + stringex (2.8.4) sys-filesystem (1.1.6) ffi sysexits (1.2.0) @@ -1061,11 +1065,11 @@ DEPENDENCIES gitaly-proto (~> 0.96.0) github-linguist (~> 5.3.3) gitlab-flowdock-git-hook (~> 1.0.1) + gitlab-gollum-lib (~> 4.2) + gitlab-gollum-rugged_adapter (~> 0.4.4) gitlab-markup (~> 1.6.2) gitlab-styles (~> 2.3) gitlab_omniauth-ldap (~> 2.0.4) - gollum-lib (~> 4.2) - gollum-rugged_adapter (~> 0.4.4) gon (~> 6.1.0) google-api-client (~> 0.19.8) google-protobuf (= 3.5.1) @@ -1156,7 +1160,7 @@ DEPENDENCIES redis-rails (~> 5.0.2) request_store (~> 1.3) responders (~> 2.0) - rouge (~> 2.0) + rouge (~> 3.1) rqrcode-rails3 (~> 0.1.7) rspec-parameterized rspec-rails (~> 3.6.0) @@ -1170,7 +1174,7 @@ DEPENDENCIES ruby_parser (~> 3.8) rufus-scheduler (~> 3.4) rugged (~> 0.27) - sanitize (~> 2.0) + sanitize (~> 4.6.5) sass-rails (~> 5.0.6) scss_lint (~> 0.56.0) seed-fu (~> 2.3.7) diff --git a/VERSION b/VERSION index 39f05ce95b..e1a586a880 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -10.7.5 +10.7.6 diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 24651dd392..0fdd4d2cb4 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -5,6 +5,7 @@ class ApplicationController < ActionController::Base include Gitlab::GonHelper include GitlabRoutingHelper include PageLayoutHelper + include SafeParamsHelper include SentryHelper include WorkhorseHelper include EnforcesTwoFactorAuthentication diff --git a/app/controllers/concerns/issuable_collections.rb b/app/controllers/concerns/issuable_collections.rb index 4114ca6bf7..1dd5cb3d81 100644 --- a/app/controllers/concerns/issuable_collections.rb +++ b/app/controllers/concerns/issuable_collections.rb @@ -57,7 +57,7 @@ module IssuableCollections out_of_range = @issuables.current_page > total_pages # rubocop:disable Gitlab/ModuleWithInstanceVariables if out_of_range - redirect_to(url_for(params.merge(page: total_pages, only_path: true))) + redirect_to(url_for(safe_params.merge(page: total_pages, only_path: true))) end out_of_range diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb index e89eaf7edd..f9e8fe624e 100644 --- a/app/controllers/dashboard/todos_controller.rb +++ b/app/controllers/dashboard/todos_controller.rb @@ -86,7 +86,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController out_of_range = todos.current_page > total_pages if out_of_range - redirect_to url_for(params.merge(page: total_pages, only_path: true)) + redirect_to url_for(safe_params.merge(page: total_pages, only_path: true)) end out_of_range diff --git a/app/controllers/groups/application_controller.rb b/app/controllers/groups/application_controller.rb index 9f3bb60b4c..6221356189 100644 --- a/app/controllers/groups/application_controller.rb +++ b/app/controllers/groups/application_controller.rb @@ -33,6 +33,6 @@ class Groups::ApplicationController < ApplicationController def build_canonical_path(group) params[:group_id] = group.to_param - url_for(params) + url_for(safe_params) end end diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb index 5ac4b8710e..79fa581835 100644 --- a/app/controllers/groups_controller.rb +++ b/app/controllers/groups_controller.rb @@ -189,6 +189,6 @@ class GroupsController < Groups::ApplicationController params[:id] = group.to_param - url_for(params) + url_for(safe_params) end end diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb index 032bb2267e..5ab6d103c8 100644 --- a/app/controllers/projects/application_controller.rb +++ b/app/controllers/projects/application_controller.rb @@ -25,7 +25,7 @@ class Projects::ApplicationController < ApplicationController params[:namespace_id] = project.namespace.to_param params[:project_id] = project.to_param - url_for(params) + url_for(safe_params) end def repository diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 37f1423019..a93b116c6f 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -404,7 +404,7 @@ class ProjectsController < Projects::ApplicationController params[:namespace_id] = project.namespace.to_param params[:id] = project.to_param - url_for(params) + url_for(safe_params) end def project_export_enabled diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 956df4a0a1..31f47a7aa7 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -146,6 +146,6 @@ class UsersController < ApplicationController end def build_canonical_path(user) - url_for(params.merge(username: user.to_param)) + url_for(safe_params.merge(username: user.to_param)) end end diff --git a/app/finders/user_recent_events_finder.rb b/app/finders/user_recent_events_finder.rb index 65d6e01974..74776b2ed1 100644 --- a/app/finders/user_recent_events_finder.rb +++ b/app/finders/user_recent_events_finder.rb @@ -56,7 +56,7 @@ class UserRecentEventsFinder visible = target_user .project_interactions - .where(visibility_level: [Gitlab::VisibilityLevel::INTERNAL, Gitlab::VisibilityLevel::PUBLIC]) + .where(visibility_level: Gitlab::VisibilityLevel.levels_for_user(current_user)) .select(:id) Gitlab::SQL::Union.new([authorized, visible]).to_sql diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb index 64b3145352..e7a36e2005 100644 --- a/app/helpers/blob_helper.rb +++ b/app/helpers/blob_helper.rb @@ -259,7 +259,7 @@ module BlobHelper options = [] if error == :collapsed - options << link_to('load it anyway', url_for(params.merge(viewer: viewer.type, expanded: true, format: nil))) + options << link_to('load it anyway', url_for(safe_params.merge(viewer: viewer.type, expanded: true, format: nil))) end # If the error is `:server_side_but_stored_externally`, the simple viewer will show the same error, diff --git a/app/helpers/diff_helper.rb b/app/helpers/diff_helper.rb index b5ca39711b..1bb82fd815 100644 --- a/app/helpers/diff_helper.rb +++ b/app/helpers/diff_helper.rb @@ -180,7 +180,7 @@ module DiffHelper private def diff_btn(title, name, selected) - params_copy = params.dup + params_copy = safe_params.dup params_copy[:view] = name # Always use HTML to handle case where JSON diff rendered this button diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb index 15f48e43a2..94b03c57d8 100644 --- a/app/helpers/projects_helper.rb +++ b/app/helpers/projects_helper.rb @@ -40,7 +40,8 @@ module ProjectsHelper name_tag_options[:class] << 'has-tooltip' end - content_tag(:span, sanitize(username), name_tag_options) + # NOTE: ActionView::Helpers::TagHelper#content_tag HTML escapes username + content_tag(:span, username, name_tag_options) end def link_to_member(project, author, opts = {}, &block) diff --git a/app/helpers/safe_params_helper.rb b/app/helpers/safe_params_helper.rb new file mode 100644 index 0000000000..5236fd6183 --- /dev/null +++ b/app/helpers/safe_params_helper.rb @@ -0,0 +1,11 @@ +module SafeParamsHelper + # Rails 5.0 requires to permit parameters if used in url helpers. + # Use this helper when generating links with `params.merge(...)` + def safe_params + if params.respond_to?(:permit!) + params.except(:host, :port, :protocol).permit! + else + params + end + end +end diff --git a/app/views/dashboard/issues.atom.builder b/app/views/dashboard/issues.atom.builder index 70ec6bc625..d7b6fb9a4a 100644 --- a/app/views/dashboard/issues.atom.builder +++ b/app/views/dashboard/issues.atom.builder @@ -1,5 +1,5 @@ xml.title "#{current_user.name} issues" -xml.link href: url_for(params), rel: "self", type: "application/atom+xml" +xml.link href: url_for(safe_params), rel: "self", type: "application/atom+xml" xml.link href: issues_dashboard_url, rel: "alternate", type: "text/html" xml.id issues_dashboard_url xml.updated @issues.first.updated_at.xmlschema if @issues.reorder(nil).any? diff --git a/app/views/dashboard/issues.html.haml b/app/views/dashboard/issues.html.haml index bb472b4c90..4bf04dadf0 100644 --- a/app/views/dashboard/issues.html.haml +++ b/app/views/dashboard/issues.html.haml @@ -2,12 +2,12 @@ - page_title _("Issues") - @breadcrumb_link = issues_dashboard_path(assignee_id: current_user.id) = content_for :meta_tags do - = auto_discovery_link_tag(:atom, params.merge(rss_url_options), title: "#{current_user.name} issues") + = auto_discovery_link_tag(:atom, safe_params.merge(rss_url_options).to_h, title: "#{current_user.name} issues") .top-area = render 'shared/issuable/nav', type: :issues, display_count: !@no_filters_set .nav-controls - = link_to params.merge(rss_url_options), class: 'btn has-tooltip', data: { container: 'body' }, title: 'Subscribe' do + = link_to safe_params.merge(rss_url_options), class: 'btn has-tooltip', data: { container: 'body' }, title: 'Subscribe' do = icon('rss') = render 'shared/new_project_item_select', path: 'issues/new', label: "New issue", with_feature_enabled: 'issues', type: :issues diff --git a/app/views/groups/issues.atom.builder b/app/views/groups/issues.atom.builder index a239ea8caf..2a385b661e 100644 --- a/app/views/groups/issues.atom.builder +++ b/app/views/groups/issues.atom.builder @@ -1,5 +1,5 @@ xml.title "#{@group.name} issues" -xml.link href: url_for(params), rel: "self", type: "application/atom+xml" +xml.link href: url_for(safe_params), rel: "self", type: "application/atom+xml" xml.link href: issues_group_url, rel: "alternate", type: "text/html" xml.id issues_group_url xml.updated @issues.first.updated_at.xmlschema if @issues.reorder(nil).any? diff --git a/app/views/groups/issues.html.haml b/app/views/groups/issues.html.haml index 36df03302e..bbfbea4ac7 100644 --- a/app/views/groups/issues.html.haml +++ b/app/views/groups/issues.html.haml @@ -1,6 +1,6 @@ - page_title "Issues" = content_for :meta_tags do - = auto_discovery_link_tag(:atom, params.merge(rss_url_options), title: "#{@group.name} issues") + = auto_discovery_link_tag(:atom, safe_params.merge(rss_url_options).to_h, title: "#{@group.name} issues") - if group_issues_count(state: 'all').zero? = render 'shared/empty_states/issues', project_select_button: true diff --git a/app/views/peek/_bar.html.haml b/app/views/peek/_bar.html.haml index b4d86e1601..158aaa102b 100644 --- a/app/views/peek/_bar.html.haml +++ b/app/views/peek/_bar.html.haml @@ -3,7 +3,7 @@ #js-peek{ data: { env: Peek.env, request_id: Peek.request_id, peek_url: peek_routes.results_url, - profile_url: url_for(params.merge(lineprofiler: 'true')) }, + profile_url: url_for(safe_params.merge(lineprofiler: 'true')) }, class: Peek.env } #peek-view-performance-bar.hidden diff --git a/app/views/projects/blob/_viewer.html.haml b/app/views/projects/blob/_viewer.html.haml index 3124443b4e..8638c59913 100644 --- a/app/views/projects/blob/_viewer.html.haml +++ b/app/views/projects/blob/_viewer.html.haml @@ -3,7 +3,7 @@ - rich_type = viewer.type == :rich ? viewer.partial_name : nil - load_async = local_assigns.fetch(:load_async, viewer.load_async? && render_error.nil?) -- viewer_url = local_assigns.fetch(:viewer_url) { url_for(params.merge(viewer: viewer.type, format: :json)) } if load_async +- viewer_url = local_assigns.fetch(:viewer_url) { url_for(safe_params.merge(viewer: viewer.type, format: :json)) } if load_async .blob-viewer{ data: { type: viewer.type, rich_type: rich_type, url: viewer_url }, class: ('hidden' if hidden) } - if render_error = render 'projects/blob/render_error', viewer: viewer diff --git a/app/views/projects/diffs/_collapsed.html.haml b/app/views/projects/diffs/_collapsed.html.haml index 8772bd4705..5762f4d86d 100644 --- a/app/views/projects/diffs/_collapsed.html.haml +++ b/app/views/projects/diffs/_collapsed.html.haml @@ -1,5 +1,5 @@ - diff_file = viewer.diff_file -- url = url_for(params.merge(action: :diff_for_path, old_path: diff_file.old_path, new_path: diff_file.new_path, file_identifier: diff_file.file_identifier)) +- url = url_for(safe_params.merge(action: :diff_for_path, old_path: diff_file.old_path, new_path: diff_file.new_path, file_identifier: diff_file.file_identifier)) .nothing-here-block.diff-collapsed{ data: { diff_for_path: url } } This diff is collapsed. %a.click-to-expand Click to expand it. diff --git a/app/views/projects/diffs/_diffs.html.haml b/app/views/projects/diffs/_diffs.html.haml index 376f672f42..9f420ee86f 100644 --- a/app/views/projects/diffs/_diffs.html.haml +++ b/app/views/projects/diffs/_diffs.html.haml @@ -8,7 +8,7 @@ .files-changed-inner .inline-parallel-buttons.hidden-xs.hidden-sm - if !diffs_expanded? && diff_files.any? { |diff_file| diff_file.collapsed? } - = link_to 'Expand all', url_for(params.merge(expanded: 1, format: nil)), class: 'btn btn-default' + = link_to 'Expand all', url_for(safe_params.merge(expanded: 1, format: nil)), class: 'btn btn-default' - if show_whitespace_toggle - if current_controller?(:commit) = commit_diff_whitespace_link(diffs.project, @commit, class: 'hidden-xs') diff --git a/app/views/projects/graphs/charts.html.haml b/app/views/projects/graphs/charts.html.haml index 14c47a5d91..9e6fd49c26 100644 --- a/app/views/projects/graphs/charts.html.haml +++ b/app/views/projects/graphs/charts.html.haml @@ -30,7 +30,7 @@ #{@commits_graph.start_date.strftime('%b %d')} - end_time = capture do #{@commits_graph.end_date.strftime('%b %d')} - = (_("Commit statistics for %{ref} %{start_time} - %{end_time}") % { ref: "#{@ref}", start_time: start_time, end_time: end_time }).html_safe + = (_("Commit statistics for %{ref} %{start_time} - %{end_time}") % { ref: "#{h @ref}", start_time: start_time, end_time: end_time }).html_safe .col-md-6 .tree-ref-container diff --git a/app/views/projects/issues/_nav_btns.html.haml b/app/views/projects/issues/_nav_btns.html.haml index dd1a836fa2..297b928f02 100644 --- a/app/views/projects/issues/_nav_btns.html.haml +++ b/app/views/projects/issues/_nav_btns.html.haml @@ -1,4 +1,4 @@ -= link_to params.merge(rss_url_options), class: 'btn btn-default append-right-10 has-tooltip', title: 'Subscribe' do += link_to safe_params.merge(rss_url_options), class: 'btn btn-default append-right-10 has-tooltip', title: 'Subscribe' do = icon('rss') - if @can_bulk_update = button_tag "Edit issues", class: "btn btn-default append-right-10 js-bulk-update-toggle" diff --git a/app/views/projects/issues/index.atom.builder b/app/views/projects/issues/index.atom.builder index 4029926f37..6330245954 100644 --- a/app/views/projects/issues/index.atom.builder +++ b/app/views/projects/issues/index.atom.builder @@ -1,5 +1,5 @@ xml.title "#{@project.name} issues" -xml.link href: url_for(params), rel: "self", type: "application/atom+xml" +xml.link href: url_for(safe_params), rel: "self", type: "application/atom+xml" xml.link href: project_issues_url(@project), rel: "alternate", type: "text/html" xml.id project_issues_url(@project) xml.updated @issues.first.updated_at.xmlschema if @issues.reorder(nil).any? diff --git a/app/views/projects/issues/index.html.haml b/app/views/projects/issues/index.html.haml index c427a9eedc..1e7737aeb9 100644 --- a/app/views/projects/issues/index.html.haml +++ b/app/views/projects/issues/index.html.haml @@ -5,7 +5,7 @@ - new_issue_email = @project.new_issuable_address(current_user, 'issue') = content_for :meta_tags do - = auto_discovery_link_tag(:atom, params.merge(rss_url_options), title: "#{@project.name} issues") + = auto_discovery_link_tag(:atom, safe_params.merge(rss_url_options).to_h, title: "#{@project.name} issues") - if project_issues(@project).exists? %div{ class: (container_class) } diff --git a/app/views/projects/merge_requests/creations/_new_submit.html.haml b/app/views/projects/merge_requests/creations/_new_submit.html.haml index 376ac37756..68780cedeb 100644 --- a/app/views/projects/merge_requests/creations/_new_submit.html.haml +++ b/app/views/projects/merge_requests/creations/_new_submit.html.haml @@ -26,16 +26,16 @@ - else %ul.merge-request-tabs.nav-links.no-top.no-bottom %li.commits-tab.active - = link_to url_for(params), data: {target: 'div#commits', action: 'new', toggle: 'tab'} do + = link_to url_for(safe_params), data: {target: 'div#commits', action: 'new', toggle: 'tab'} do Commits %span.badge= @commits.size - if @pipelines.any? %li.builds-tab - = link_to url_for(params.merge(action: 'pipelines')), data: {target: 'div#pipelines', action: 'pipelines', toggle: 'tab'} do + = link_to url_for(safe_params.merge(action: 'pipelines')), data: {target: 'div#pipelines', action: 'pipelines', toggle: 'tab'} do Pipelines %span.badge= @pipelines.size %li.diffs-tab - = link_to url_for(params.merge(action: 'diffs')), data: {target: 'div#diffs', action: 'diffs', toggle: 'tab'} do + = link_to url_for(safe_params.merge(action: 'diffs')), data: {target: 'div#diffs', action: 'diffs', toggle: 'tab'} do Changes %span.badge= @merge_request.diff_size @@ -46,7 +46,7 @@ -# This tab is always loaded via AJAX - if @pipelines.any? #pipelines.pipelines.tab-pane - = render 'projects/merge_requests/pipelines', endpoint: url_for(params.merge(action: 'pipelines', format: :json)), disable_initialization: true + = render 'projects/merge_requests/pipelines', endpoint: url_for(safe_params.merge(action: 'pipelines', format: :json)), disable_initialization: true .mr-loading-status = spinner diff --git a/config/initializers/gollum.rb b/config/initializers/gollum.rb index 6dfaceb842..81e0577a7c 100644 --- a/config/initializers/gollum.rb +++ b/config/initializers/gollum.rb @@ -7,139 +7,6 @@ module Gollum end require "gollum-lib" -module Gollum - class Committer - # Patch for UTF-8 path - def method_missing(name, *args) - index.send(name, *args) - end - end - - class Wiki - def pages(treeish = nil, limit: nil) - tree_list((treeish || @ref), limit: limit) - end - - def tree_list(ref, limit: nil) - if (sha = @access.ref_to_sha(ref)) - commit = @access.commit(sha) - tree_map_for(sha).inject([]) do |list, entry| - next list unless @page_class.valid_page_name?(entry.name) - - list << entry.page(self, commit) - break list if limit && list.size >= limit - - list - end - else - [] - end - end - - # Remove if https://github.com/gollum/gollum-lib/pull/292 has been merged - def update_page(page, name, format, data, commit = {}) - name = name ? ::File.basename(name) : page.name - format ||= page.format - dir = ::File.dirname(page.path) - dir = '' if dir == '.' - filename = (rename = page.name != name) ? Gollum::Page.cname(name) : page.filename_stripped - - multi_commit = !!commit[:committer] - committer = multi_commit ? commit[:committer] : Committer.new(self, commit) - - if !rename && page.format == format - committer.add(page.path, normalize(data)) - else - committer.delete(page.path) - committer.add_to_index(dir, filename, format, data) - end - - committer.after_commit do |index, _sha| - @access.refresh - index.update_working_dir(dir, page.filename_stripped, page.format) - index.update_working_dir(dir, filename, format) - end - - multi_commit ? committer : committer.commit - end - - # Remove if https://github.com/gollum/gollum-lib/pull/292 has been merged - def rename_page(page, rename, commit = {}) - return false if page.nil? - return false if rename.nil? || rename.empty? - - (target_dir, target_name) = ::File.split(rename) - (source_dir, source_name) = ::File.split(page.path) - source_name = page.filename_stripped - - # File.split gives us relative paths with ".", commiter.add_to_index doesn't like that. - target_dir = '' if target_dir == '.' - source_dir = '' if source_dir == '.' - target_dir = target_dir.gsub(/^\//, '') # rubocop:disable Style/RegexpLiteral - - # if the rename is a NOOP, abort - if source_dir == target_dir && source_name == target_name - return false - end - - multi_commit = !!commit[:committer] - committer = multi_commit ? commit[:committer] : Committer.new(self, commit) - - # This piece only works for multi_commit - # If we are in a commit batch and one of the previous operations - # has updated the page, any information we ask to the page can be outdated. - # Therefore, we should ask first to the current committer tree to see if - # there is any updated change. - raw_data = raw_data_in_committer(committer, source_dir, page.filename) || - raw_data_in_committer(committer, source_dir, "#{target_name}.#{Page.format_to_ext(page.format)}") || - page.raw_data - - committer.delete(page.path) - committer.add_to_index(target_dir, target_name, page.format, raw_data) - - committer.after_commit do |index, _sha| - @access.refresh - index.update_working_dir(source_dir, source_name, page.format) - index.update_working_dir(target_dir, target_name, page.format) - end - - multi_commit ? committer : committer.commit - end - - # Remove if https://github.com/gollum/gollum-lib/pull/292 has been merged - def raw_data_in_committer(committer, dir, filename) - data = nil - - [*dir.split(::File::SEPARATOR), filename].each do |key| - data = data ? data[key] : committer.tree[key] - break unless data - end - - data - end - end - - module Git - class Git - def tree_entry(commit, path) - pathname = Pathname.new(path) - tmp_entry = nil - - pathname.each_filename do |dir| - tmp_entry = if tmp_entry.nil? - commit.tree[dir] - else - @repo.lookup(tmp_entry[:oid])[dir] - end - - return nil unless tmp_entry - end - tmp_entry - end - end - end -end - Rails.application.configure do config.after_initialize do Gollum::Page.per_page = Kaminari.config.default_per_page diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index 6786b9d07b..afc2ca4e36 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -25,10 +25,11 @@ module Banzai # Only push these customizations once return if customized?(whitelist[:transformers]) - # Allow table alignment; we whitelist specific style properties in a + # Allow table alignment; we whitelist specific text-align values in a # transformer below whitelist[:attributes]['th'] = %w(style) whitelist[:attributes]['td'] = %w(style) + whitelist[:css] = { properties: ['text-align'] } # Allow span elements whitelist[:elements].push('span') diff --git a/lib/banzai/filter/table_of_contents_filter.rb b/lib/banzai/filter/table_of_contents_filter.rb index 9724415998..b32660a834 100644 --- a/lib/banzai/filter/table_of_contents_filter.rb +++ b/lib/banzai/filter/table_of_contents_filter.rb @@ -92,7 +92,7 @@ module Banzai def text return '' unless node - @text ||= node.text + @text ||= EscapeUtils.escape_html(node.text) end private diff --git a/spec/features/projects/graph_spec.rb b/spec/features/projects/graph_spec.rb index 57172610ae..335174b772 100644 --- a/spec/features/projects/graph_spec.rb +++ b/spec/features/projects/graph_spec.rb @@ -3,6 +3,7 @@ require 'spec_helper' describe 'Project Graph', :js do let(:user) { create :user } let(:project) { create(:project, :repository, namespace: user.namespace) } + let(:branch_name) { 'master' } before do project.add_master(user) @@ -12,7 +13,7 @@ describe 'Project Graph', :js do shared_examples 'page should have commits graphs' do it 'renders commits' do - expect(page).to have_content('Commit statistics for master') + expect(page).to have_content("Commit statistics for #{branch_name}") expect(page).to have_content('Commits per day of month') end end @@ -57,6 +58,23 @@ describe 'Project Graph', :js do it_behaves_like 'page should have languages graphs' end + context 'chart graph with HTML escaped branch name' do + let(:branch_name) { '

evil

' } + + before do + project.repository.create_branch(branch_name, 'master') + + visit charts_project_graph_path(project, branch_name) + end + + it_behaves_like 'page should have commits graphs' + + it 'HTML escapes branch name' do + expect(page.body).to include("Commit statistics for #{ERB::Util.html_escape(branch_name)}") + expect(page.body).not_to include(branch_name) + end + end + context 'when CI enabled' do before do project.enable_ci diff --git a/spec/finders/user_recent_events_finder_spec.rb b/spec/finders/user_recent_events_finder_spec.rb index 3ca0f7c3c8..da043f9402 100644 --- a/spec/finders/user_recent_events_finder_spec.rb +++ b/spec/finders/user_recent_events_finder_spec.rb @@ -1,31 +1,50 @@ require 'spec_helper' describe UserRecentEventsFinder do - let(:user) { create(:user) } - let(:project) { create(:project) } - let(:project_owner) { project.creator } - let!(:event) { create(:event, project: project, author: project_owner) } + let(:current_user) { create(:user) } + let(:project_owner) { create(:user) } + let(:private_project) { create(:project, :private, creator: project_owner) } + let(:internal_project) { create(:project, :internal, creator: project_owner) } + let(:public_project) { create(:project, :public, creator: project_owner) } + let!(:private_event) { create(:event, project: private_project, author: project_owner) } + let!(:internal_event) { create(:event, project: internal_project, author: project_owner) } + let!(:public_event) { create(:event, project: public_project, author: project_owner) } - subject(:finder) { described_class.new(user, project_owner) } + subject(:finder) { described_class.new(current_user, project_owner) } describe '#execute' do - it 'does not include the event when a user does not have access to the project' do - expect(finder.execute).to be_empty + context 'current user does not have access to projects' do + it 'returns public and internal events' do + records = finder.execute + + expect(records).to include(public_event, internal_event) + expect(records).not_to include(private_event) + end end - context 'when the user has access to a project' do + context 'when current user has access to the projects' do before do - project.add_developer(user) + private_project.add_developer(current_user) + internal_project.add_developer(current_user) + public_project.add_developer(current_user) end - it 'includes the event' do - expect(finder.execute).to include(event) + it 'returns all the events' do + expect(finder.execute).to include(private_event, internal_event, public_event) end - it 'does not include the event if the user cannot read cross project' do - expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false } + it 'does not include the events if the user cannot read cross project' do + expect(Ability).to receive(:allowed?).with(current_user, :read_cross_project) { false } expect(finder.execute).to be_empty end end + + context 'when current user is anonymous' do + let(:current_user) { nil } + + it 'returns public events only' do + expect(finder.execute).to eq([public_event]) + end + end end end diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb index ce96e90e2d..3223314918 100644 --- a/spec/helpers/projects_helper_spec.rb +++ b/spec/helpers/projects_helper_spec.rb @@ -244,7 +244,7 @@ describe ProjectsHelper do describe '#link_to_member' do let(:group) { build_stubbed(:group) } let(:project) { build_stubbed(:project, group: group) } - let(:user) { build_stubbed(:user) } + let(:user) { build_stubbed(:user, name: '

Administrator

') } describe 'using the default options' do it 'returns an HTML link to the user' do @@ -252,6 +252,13 @@ describe ProjectsHelper do expect(link).to match(%r{/#{user.username}}) end + + it 'HTML escapes the name of the user' do + link = helper.link_to_member(project, user) + + expect(link).to include(ERB::Util.html_escape(user.name)) + expect(link).not_to include(user.name) + end end end diff --git a/spec/initializers/gollum_spec.rb b/spec/initializers/gollum_spec.rb deleted file mode 100644 index adf824a894..0000000000 --- a/spec/initializers/gollum_spec.rb +++ /dev/null @@ -1,62 +0,0 @@ -require 'spec_helper' - -describe 'gollum' do - let(:project) { create(:project) } - let(:user) { project.owner } - let(:wiki) { ProjectWiki.new(project, user) } - let(:gollum_wiki) { Gollum::Wiki.new(wiki.repository.path) } - - before do - create_page(page_name, 'content1') - end - - after do - destroy_page(page_name) - end - - context 'with simple paths' do - let(:page_name) { 'page1' } - - it 'returns the entry hash if it matches the file name' do - expect(tree_entry(page_name)).not_to be_nil - end - - it 'returns nil if the path does not fit completely' do - expect(tree_entry("foo/#{page_name}")).to be_nil - end - end - - context 'with complex paths' do - let(:page_name) { '/foo/bar/page2' } - - it 'returns the entry hash if it matches the file name' do - expect(tree_entry(page_name)).not_to be_nil - end - - it 'returns nil if the path does not fit completely' do - expect(tree_entry("foo1/bar/page2")).to be_nil - expect(tree_entry("foo/bar1/page2")).to be_nil - end - end - - def tree_entry(name) - gollum_wiki.repo.git.tree_entry(wiki_commits[0].commit, name + '.md') - end - - def wiki_commits - gollum_wiki.repo.commits - end - - def commit_details - Gitlab::Git::Wiki::CommitDetails.new(user.name, user.email, "test commit") - end - - def create_page(name, content) - wiki.wiki.write_page(name, :markdown, content, commit_details) - end - - def destroy_page(name) - page = wiki.find_page(name).page - wiki.delete_page(page, "test commit") - end -end diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index 17a620ef60..d930c608b1 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -93,6 +93,16 @@ describe Banzai::Filter::SanitizationFilter do expect(doc.at_css('td')['style']).to eq 'text-align: center' end + it 'disallows `text-align` property in `style` attribute on other elements' do + html = <<~HTML +
Text
+ HTML + + doc = filter(html) + + expect(doc.at_css('div')['style']).to be_nil + end + it 'allows `span` elements' do exp = act = %q{Hello} expect(filter(act).to_html).to eq exp @@ -224,7 +234,7 @@ describe Banzai::Filter::SanitizationFilter do 'protocol-based JS injection: spaces and entities' => { input: 'foo', - output: 'foo' + output: 'foo' }, 'protocol whitespace' => { diff --git a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb index 0cfef4ff5b..7213cd58ea 100644 --- a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb +++ b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb @@ -139,5 +139,14 @@ describe Banzai::Filter::TableOfContentsFilter do expect(items[5].ancestors).to include(items[4]) end end + + context 'header text contains escaped content' do + let(:content) { '<img src="x" onerror="alert(42)">' } + let(:results) { result(header(1, content)) } + + it 'outputs escaped content' do + expect(doc.inner_html).to include(content) + end + end end end From 08016043adba37323abc13455840afb777d4c57d Mon Sep 17 00:00:00 2001 From: Pirate Praveen Date: Wed, 27 Jun 2018 16:13:27 +0530 Subject: [PATCH 2/4] Refresh patches --- debian/patches/0050-relax-stable-libs.patch | 31 ++++++++++--------- .../0100-remove-development-test.patch | 4 +-- ...0-make-test-dependencies-conditional.patch | 4 +-- debian/patches/0220-relax-webmock.patch | 2 +- debian/patches/0290-skip-peek-mysql2.patch | 2 +- debian/patches/0300-relax-rbnacl.patch | 2 +- debian/patches/0340-relax-httparty.patch | 2 +- debian/patches/0360-relax-rdoc.patch | 2 +- debian/patches/0390-relax-gitaly-proto.patch | 2 +- debian/patches/0395-relax-grape-entity.patch | 2 +- .../0396-relax-asciidoctor-plantuml.patch | 4 +-- 11 files changed, 29 insertions(+), 28 deletions(-) diff --git a/debian/patches/0050-relax-stable-libs.patch b/debian/patches/0050-relax-stable-libs.patch index 0372cdee29..b6da0a31b9 100644 --- a/debian/patches/0050-relax-stable-libs.patch +++ b/debian/patches/0050-relax-stable-libs.patch @@ -75,8 +75,8 @@ gitlab Gemfile # Browser detection gem 'browser', '~> 2.2' -@@ -93,12 +93,12 @@ - gem 'gollum-rugged_adapter', '~> 0.4.4', require: false +@@ -86,12 +86,12 @@ + gem 'gitlab-gollum-rugged_adapter', '~> 0.4.4', require: false # Language detection -gem 'github-linguist', '~> 5.3.3', require: 'linguist' @@ -90,7 +90,7 @@ gitlab Gemfile # Disable strong_params so that Mash does not respond to :permitted? gem 'hashie-forbidden_attributes' -@@ -107,7 +107,7 @@ +@@ -100,7 +100,7 @@ gem 'kaminari', '~> 1.0' # HAML @@ -99,7 +99,7 @@ gitlab Gemfile # Files attachments gem 'carrierwave', '~> 1.2' -@@ -116,7 +116,7 @@ +@@ -109,7 +109,7 @@ gem 'dropzonejs-rails', '~> 0.7.1' # for backups @@ -108,7 +108,7 @@ gitlab Gemfile gem 'fog-core', '~> 1.44' gem 'fog-google', '~> 1.3.3' gem 'fog-local', '~> 0.3' -@@ -131,32 +131,32 @@ +@@ -124,32 +124,32 @@ gem 'unf', '~> 0.1.4' # Seed data @@ -133,7 +133,7 @@ gitlab Gemfile -gem 'asciidoctor', '~> 1.5.6' +gem 'asciidoctor', '~> 1.5', '>= 1.5.6' gem 'asciidoctor-plantuml', '0.0.8' - gem 'rouge', '~> 2.0' + gem 'rouge', '~> 3.1' gem 'truncato', '~> 0.7.9' -gem 'bootstrap_form', '~> 2.7.0' -gem 'nokogiri', '~> 1.8.2' @@ -151,7 +151,7 @@ gitlab Gemfile gem 'unicorn-worker-killer', '~> 0.4.4' end -@@ -169,7 +169,7 @@ +@@ -162,7 +162,7 @@ # Background jobs gem 'sidekiq', '~> 5.0' gem 'sidekiq-cron', '~> 0.6.0' @@ -160,7 +160,7 @@ gitlab Gemfile gem 'sidekiq-limit_fetch', '~> 3.4', require: false # Cron Parser -@@ -182,36 +182,36 @@ +@@ -175,36 +175,36 @@ gem 'rainbow', '~> 2.2' # GitLab settings @@ -204,7 +204,7 @@ gitlab Gemfile # Asana integration gem 'asana', '~> 0.6.0' -@@ -223,11 +223,11 @@ +@@ -216,11 +216,11 @@ gem 'kubeclient', '~> 3.0' # d3 @@ -212,13 +212,14 @@ gitlab Gemfile +gem 'd3_rails', '~> 3.5' # Sanitize user input - gem 'sanitize', '~> 2.0' +-gem 'sanitize', '~> 4.6.5' -gem 'babosa', '~> 1.0.2' ++gem 'sanitize', '~> 4.6', '>= 4.6.5' +gem 'babosa', '~> 1.0', '>= 1.0.2' # Sanitizes SVG input gem 'loofah', '~> 2.2' -@@ -236,13 +236,13 @@ +@@ -229,13 +229,13 @@ gem 'licensee', '~> 8.9' # Protect against bruteforcing @@ -235,7 +236,7 @@ gitlab Gemfile # Detect and convert string character encoding gem 'charlock_holmes', '~> 0.7.5' -@@ -257,43 +257,43 @@ +@@ -250,43 +250,43 @@ gem 'webpack-rails', '~> 0.9.10' gem 'rack-proxy', '~> 0.6.0' @@ -296,7 +297,7 @@ gitlab Gemfile # Metrics group :metrics do -@@ -405,12 +405,12 @@ +@@ -398,12 +398,12 @@ gem 'health_check', '~> 2.6.0' # System information @@ -313,7 +314,7 @@ gitlab Gemfile # Required for ED25519 SSH host key support group :ed25519 do -@@ -421,12 +421,12 @@ +@@ -414,12 +414,12 @@ # Gitaly GRPC client gem 'gitaly-proto', '~> 0.96.0', require: 'gitaly' @@ -329,7 +330,7 @@ gitlab Gemfile # Feature toggles gem 'flipper', '~> 0.13.0' -@@ -438,4 +438,4 @@ +@@ -431,4 +431,4 @@ gem 'grape_logging', '~> 1.7' # Asset synchronization diff --git a/debian/patches/0100-remove-development-test.patch b/debian/patches/0100-remove-development-test.patch index d0257f119f..18d9f29c68 100644 --- a/debian/patches/0100-remove-development-test.patch +++ b/debian/patches/0100-remove-development-test.patch @@ -2,7 +2,7 @@ Bundler will fail when it can't find these locally --- a/Gemfile +++ b/Gemfile -@@ -281,7 +281,6 @@ +@@ -274,7 +274,6 @@ gem 'rails-i18n', gem_versions['rails-i18n'] gem 'gettext_i18n_rails', '~> 1.8' gem 'gettext_i18n_rails_js', '~> 1.3' @@ -10,7 +10,7 @@ Bundler will fail when it can't find these locally gem 'batch-loader', '~> 1.2', '>= 1.2.1' -@@ -306,21 +305,6 @@ +@@ -299,21 +298,6 @@ gem 'raindrops', '~> 0.18' end diff --git a/debian/patches/0110-make-test-dependencies-conditional.patch b/debian/patches/0110-make-test-dependencies-conditional.patch index d4c65149cd..4c40c457af 100644 --- a/debian/patches/0110-make-test-dependencies-conditional.patch +++ b/debian/patches/0110-make-test-dependencies-conditional.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -306,7 +306,7 @@ +@@ -299,7 +299,7 @@ gem 'raindrops', '~> 0.18' end @@ -9,7 +9,7 @@ gem 'bullet', '~> 5.5.0', require: !!ENV['ENABLE_BULLET'] gem 'pry-byebug', '~> 3.4.1', platform: :mri gem 'pry-rails', '~> 0.3.4' -@@ -361,9 +361,9 @@ +@@ -354,9 +354,9 @@ gem 'simple_po_parser', '~> 1.1.2', require: false gem 'timecop', '~> 0.8.0' diff --git a/debian/patches/0220-relax-webmock.patch b/debian/patches/0220-relax-webmock.patch index fec780109d..2ae0131054 100644 --- a/debian/patches/0220-relax-webmock.patch +++ b/debian/patches/0220-relax-webmock.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -367,7 +367,7 @@ +@@ -360,7 +360,7 @@ gem 'shoulda-matchers', '~> 3.1.2', require: false gem 'email_spec', '~> 1.6.0' gem 'json-schema', '~> 2.8.0' diff --git a/debian/patches/0290-skip-peek-mysql2.patch b/debian/patches/0290-skip-peek-mysql2.patch index 10506ea9db..1d84e19aa9 100644 --- a/debian/patches/0290-skip-peek-mysql2.patch +++ b/debian/patches/0290-skip-peek-mysql2.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -288,7 +288,6 @@ +@@ -281,7 +281,6 @@ # Perf bar gem 'peek', '~> 1.0', '>= 1.0.1' gem 'peek-gc', '~> 0.0.2' diff --git a/debian/patches/0300-relax-rbnacl.patch b/debian/patches/0300-relax-rbnacl.patch index 54c3f6cf8d..785db486ab 100644 --- a/debian/patches/0300-relax-rbnacl.patch +++ b/debian/patches/0300-relax-rbnacl.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -399,7 +399,7 @@ +@@ -392,7 +392,7 @@ # Required for ED25519 SSH host key support group :ed25519 do gem 'rbnacl-libsodium' diff --git a/debian/patches/0340-relax-httparty.patch b/debian/patches/0340-relax-httparty.patch index 59204344cd..db561f8948 100644 --- a/debian/patches/0340-relax-httparty.patch +++ b/debian/patches/0340-relax-httparty.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -177,7 +177,7 @@ +@@ -170,7 +170,7 @@ gem 'rufus-scheduler', '~> 3.4' # HTTP requests diff --git a/debian/patches/0360-relax-rdoc.patch b/debian/patches/0360-relax-rdoc.patch index 36f81974c9..924b2dac9c 100644 --- a/debian/patches/0360-relax-rdoc.patch +++ b/debian/patches/0360-relax-rdoc.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -141,7 +141,7 @@ +@@ -134,7 +134,7 @@ gem 'redcarpet', '~> 3.4' gem 'commonmarker', '~> 0.17' gem 'RedCloth', '~> 4.3', '>= 4.3.2' diff --git a/debian/patches/0390-relax-gitaly-proto.patch b/debian/patches/0390-relax-gitaly-proto.patch index 6009e12e9d..35b840cb91 100644 --- a/debian/patches/0390-relax-gitaly-proto.patch +++ b/debian/patches/0390-relax-gitaly-proto.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -404,7 +404,7 @@ +@@ -397,7 +397,7 @@ end # Gitaly GRPC client diff --git a/debian/patches/0395-relax-grape-entity.patch b/debian/patches/0395-relax-grape-entity.patch index 79da5c6d0b..2eaf0f0ce8 100644 --- a/debian/patches/0395-relax-grape-entity.patch +++ b/debian/patches/0395-relax-grape-entity.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -98,7 +98,7 @@ +@@ -91,7 +91,7 @@ # API gem 'grape', '~> 1.0' diff --git a/debian/patches/0396-relax-asciidoctor-plantuml.patch b/debian/patches/0396-relax-asciidoctor-plantuml.patch index 626fa790a2..828bcf84f3 100644 --- a/debian/patches/0396-relax-asciidoctor-plantuml.patch +++ b/debian/patches/0396-relax-asciidoctor-plantuml.patch @@ -2,12 +2,12 @@ https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18643 --- a/Gemfile +++ b/Gemfile -@@ -146,7 +146,7 @@ +@@ -139,7 +139,7 @@ gem 'creole', '~> 0.5.0' gem 'wikicloth', '0.8.1' gem 'asciidoctor', '~> 1.5', '>= 1.5.6' -gem 'asciidoctor-plantuml', '0.0.8' +gem 'asciidoctor-plantuml', '~> 0.0.8' - gem 'rouge', '~> 2.0' + gem 'rouge', '~> 3.1' gem 'truncato', '~> 0.7.9' gem 'bootstrap_form', '~> 2.7' From 8110b429a57600e890f7d8d476347517dc83468b Mon Sep 17 00:00:00 2001 From: Pirate Praveen Date: Wed, 27 Jun 2018 16:14:39 +0530 Subject: [PATCH 3/4] update changelog --- debian/changelog | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 549a757b06..dd42256003 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,12 @@ -gitlab (10.7.5+dfsg-4) experimental; urgency=medium +gitlab (10.7.6+dfsg-1) experimental; urgency=medium + * New upstream version 10.7.6+dfsg + * Refresh patches * Move common dependencies to gitlab-common * Don't remove gitlab_data_dir in purge * Support upgrading from 8.13 to 10.x - -- Pirate Praveen Thu, 21 Jun 2018 21:42:45 +0530 + -- Pirate Praveen Wed, 27 Jun 2018 16:14:20 +0530 gitlab (10.7.5+dfsg-3) experimental; urgency=medium From 1c5c24cd8fe3d30db5c46413773084b17ab3a711 Mon Sep 17 00:00:00 2001 From: Pirate Praveen Date: Wed, 27 Jun 2018 16:17:54 +0530 Subject: [PATCH 4/4] add back ruby dependency --- debian/control | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/control b/debian/control index a326aaae8e..0d35520420 100644 --- a/debian/control +++ b/debian/control @@ -17,6 +17,7 @@ Architecture: all XB-Ruby-Versions: ${ruby:Versions} Depends: ${shlibs:Depends}, ${misc:Depends}, gitlab-common, + ruby | ruby-interpreter, lsb-base (>= 3.0-6), rake (>= 12.3.0~), bundler,