realaravinth/debian-mirror-gitlab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update upstream source from tag 'upstream/13.0.4'

Browse source 
Update to upstream version '13.0.4'
with Debian dir 5842ec48df
This commit is contained in:
Pirate Praveen 2020-06-04 15:14:34 +05:30
commit 4e5a3c2e9b
7 changed files with 108 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG-EE.md
View file

@ -1,5 +1,9 @@
Please view this file on the master branch, on stable branches it's out of date. Please view this file on the master branch, on stable branches it's out of date.
## 13.0.3 (2020-05-29)
- No changes.
## 13.0.2 (2020-05-28) ## 13.0.2 (2020-05-28)
- No changes. - No changes.

7
CHANGELOG.md
View file

@ -2,6 +2,13 @@
documentation](doc/development/changelog.md) for instructions on adding your own documentation](doc/development/changelog.md) for instructions on adding your own
entry. entry.
## 13.0.4 (2020-06-03)
### Security (1 change)
- Prevent fetching repository code with unauthorized ci token.
## 13.0.3 (2020-05-29) ## 13.0.3 (2020-05-29)
### Fixed (8 changes, 1 of them is from the community) ### Fixed (8 changes, 1 of them is from the community)

2
GITALY_SERVER_VERSION
View file

@ -1 +1 @@
13.0.3 13.0.4

2
VERSION
View file

@ -1 +1 @@
13.0.3 13.0.4

1
app/policies/project_policy.rb
View file

@ -463,6 +463,7 @@ class ProjectPolicy < BasePolicy
rule { repository_disabled }.policy do rule { repository_disabled }.policy do
prevent :push_code prevent :push_code
prevent :download_code prevent :download_code
prevent :build_download_code
prevent :fork_project prevent :fork_project
prevent :read_commit_status prevent :read_commit_status
prevent :read_pipeline prevent :read_pipeline

62
spec/factories/pages_domains.rb
View file

@ -114,36 +114,38 @@ lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x +AZxAeKCINT+b72x
-----END CERTIFICATE----- -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6 6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt 9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq /erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/ Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT +pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/ Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9 /wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6 4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ 2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5 boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
pu/xO28QOG8= QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
NVOFBkpdn627G190
-----END CERTIFICATE-----' -----END CERTIFICATE-----'
end end
end end

103
spec/policies/project_policy_spec.rb
View file

@ -5,6 +5,7 @@ require 'spec_helper'
describe ProjectPolicy do describe ProjectPolicy do
include ExternalAuthorizationServiceHelpers include ExternalAuthorizationServiceHelpers
include_context 'ProjectPolicy context' include_context 'ProjectPolicy context'
let_it_be(:other_user) { create(:user) }
let_it_be(:guest) { create(:user) } let_it_be(:guest) { create(:user) }
let_it_be(:reporter) { create(:user) } let_it_be(:reporter) { create(:user) }
let_it_be(:developer) { create(:user) } let_it_be(:developer) { create(:user) }
@ -163,7 +164,7 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
it 'disallows all permissions when the feature is disabled' do it 'disallows all permissions when the feature is disabled' do
project.project_feature.update(merge_requests_access_level: ProjectFeature::DISABLED) project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
mr_permissions = [:create_merge_request_from, :read_merge_request, mr_permissions = [:create_merge_request_from, :read_merge_request,
:update_merge_request, :admin_merge_request, :update_merge_request, :admin_merge_request,
@ -215,7 +216,7 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
before do before do
project.project_feature.update(builds_access_level: ProjectFeature::DISABLED) project.project_feature.update!(builds_access_level: ProjectFeature::DISABLED)
end end
context 'without metrics_dashboard_allowed' do context 'without metrics_dashboard_allowed' do
@ -260,7 +261,7 @@ describe ProjectPolicy do
subject { described_class.new(guest, project) } subject { described_class.new(guest, project) }
before do before do
project.project_feature.update(builds_access_level: ProjectFeature::PRIVATE) project.project_feature.update!(builds_access_level: ProjectFeature::PRIVATE)
end end
it 'disallows pipeline and commit_status permissions' do it 'disallows pipeline and commit_status permissions' do
@ -275,50 +276,70 @@ describe ProjectPolicy do
end end
context 'repository feature' do context 'repository feature' do
subject { described_class.new(owner, project) } let(:repository_permissions) do
[
before do :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
project.project_feature.update(repository_access_level: ProjectFeature::DISABLED) :create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
:destroy_release, :download_code, :build_download_code
]
end end
context 'without metrics_dashboard_allowed' do context 'when user is a project member' do
before do subject { described_class.new(owner, project) }
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED)
end
it 'disallows all permissions when the feature is disabled' do context 'when it is disabled' do
repository_permissions = [ before do
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, project.project_feature.update!(
:create_build, :read_build, :update_build, :admin_build, :destroy_build, repository_access_level: ProjectFeature::DISABLED,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, merge_requests_access_level: ProjectFeature::DISABLED,
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, builds_access_level: ProjectFeature::DISABLED,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster, forking_access_level: ProjectFeature::DISABLED
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment, )
:destroy_release end
]
expect_disallowed(*repository_permissions) context 'without metrics_dashboard_allowed' do
before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED)
end
it 'disallows all permissions when the feature is disabled' do
expect_disallowed(*repository_permissions)
end
end
context 'with metrics_dashboard_allowed' do
before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end
it 'disallows all permissions but read_environment when the feature is disabled' do
expect_disallowed(*(repository_permissions - [:read_environment]))
expect_allowed(:read_environment)
end
end
end end
end end
context 'with metrics_dashboard_allowed' do context 'when user is some other user' do
before do subject { described_class.new(other_user, project) }
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end
it 'disallows all permissions when the feature is disabled' do context 'when access level is private' do
repository_permissions = [ before do
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, project.project_feature.update!(
:create_build, :read_build, :update_build, :admin_build, :destroy_build, repository_access_level: ProjectFeature::PRIVATE,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, merge_requests_access_level: ProjectFeature::PRIVATE,
:create_environment, :update_environment, :admin_environment, :destroy_environment, builds_access_level: ProjectFeature::PRIVATE,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster, forking_access_level: ProjectFeature::PRIVATE
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment, )
:destroy_release end
]
expect_disallowed(*repository_permissions) it 'disallows all permissions' do
expect_allowed(:read_environment) expect_disallowed(*repository_permissions)
end
end end
end end
end end
@ -601,7 +622,7 @@ describe ProjectPolicy do
context 'feature enabled' do context 'feature enabled' do
before do before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end end
context 'with reporter' do context 'with reporter' do
@ -665,7 +686,7 @@ describe ProjectPolicy do
context 'feature enabled' do context 'feature enabled' do
before do before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end end
context 'with reporter' do context 'with reporter' do
@ -750,7 +771,7 @@ describe ProjectPolicy do
context 'feature disabled' do context 'feature disabled' do
before do before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED) project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::DISABLED)
end end
context 'with reporter' do context 'with reporter' do