Merge tag 'debian/12.2.9-5' into buster-fasttrack

gitlab Debian release 12.2.9-5

debian/changelog

@@ -1,3 +1,42 @@
+gitlab (12.2.9-5) experimental; urgency=medium
+
+  * Bump minimum version of ruby-font-awesome-rails to allow rails 5.2.3
+  * Add patches for CVEs (Fixes: CVE-2019-19254, CVE-2019-19257)
+  * Tighten dependency on gitlab-workhorse and gitaly (Fixes: CVE-2019-19260)
+  * Set minimum version of ruby-gitlab-labkit as 0.5~ (for gitaly 1.65.2)
+
+ -- Pirate Praveen <praveen@debian.org>  Fri, 29 Nov 2019 12:10:38 +0530
+
+gitlab (12.2.9-4) experimental; urgency=medium
+
+  * Update node-d3 to version 5.12 (required to update rollup to 1.x)
+
+ -- Pirate Praveen <praveen@debian.org>  Fri, 22 Nov 2019 21:25:38 +0530
+
+gitlab (12.2.9-3) experimental; urgency=medium
+
+  [ Dmitry Smirnov ]
+  * Revert "Add sp.js to debian/missing-sources"
+
+  [ Pirate Praveen ]
+  * Add gitlab-rails-console command as a convenience script
+  * Update minimum version for rm_confifile maintscript option
+
+  [ Utkarsh Gupta ]
+  * Add patch to bump rubyzip (Closes: #944906)
+
+  [ Pirate Praveen ]
+  * Bump minimum version of ruby-zip to 2.0 to match Gemfile
+
+ -- Pirate Praveen <praveen@debian.org>  Wed, 20 Nov 2019 13:16:32 +0530
+
+gitlab (12.2.9-2) experimental; urgency=medium
+
+  * Change .cache/yarn/v4 -> .cache/yarn/v6
+  * Add sp.js to debian/missing-sources
+
+ -- Utkarsh Gupta <guptautkarsh2102@gmail.com>  Sat, 02 Nov 2019 01:40:43 +0530
+
 gitlab (12.2.9-1+fto10+2) buster-fasttrack; urgency=medium
 
   * Update minimum version for rm_confifile maintscript option (Closes:

debian/control

@@ -35,7 +35,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
  openssh-client,
  bzip2,
  ucf,
- gitlab-workhorse (>= 8.8.1~),
+ gitlab-workhorse (>= 8.8.1+debian-3~),
  ruby-rails (>= 2:5.2.3~),
  ruby-bootsnap,
  ruby-nakayoshi-fork (>= 0.0.4~),
@@ -82,7 +82,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
  ruby-u2f (>= 0.2.1~),
 # GitLab Pages
  ruby-validates-hostname (>= 1.0.6~),
- ruby-zip (>= 1.2.2),
+ ruby-zip (>= 2.0~),
 # GitLab Pages letsencrypt support
  ruby-acme-client (>= 2.0.2~),
 # Browser detection
@@ -241,7 +241,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
    libjs-uglify (<< 3.0~),
 #
  ruby-addressable (>= 2.5.2~),
- ruby-font-awesome-rails (>= 4.7~),
+ ruby-font-awesome-rails (>= 4.7.0.4~),
  ruby-gemojione (>= 3.3~),
  ruby-gon (>= 6.2~),
  ruby-jquery-atwho-rails (>= 1.3.2~),
@@ -252,7 +252,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
 #
  ruby-premailer-rails (>= 1.9.7~),
 # LabKit: Tracing and Correlation
- ruby-gitlab-labkit (>= 0.4.2-2~),
+ ruby-gitlab-labkit (>= 0.5~),
 # I18n
  ruby-parser (>= 3.8.2~),
  ruby-rails-i18n (>= 5.1~),
@@ -302,7 +302,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
  ruby-ed25519 (>= 1.2~),
  ruby-bcrypt-pbkdf (>= 1.0~),
 # Gitaly GRPC client
- ruby-gitaly (>= 1.58~),
+ ruby-gitaly (>= 1.65.2+dfsg-1~),
  ruby-grpc (>= 1.19~),
  ruby-google-protobuf (>= 3.7.1~),
 #
@@ -330,7 +330,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
 # need transition (embedded)
  node-core-js (<< 3~),
  node-css-loader,
- node-d3,
+ node-d3 (>= 5.12~),
  node-d3-array,
  node-d3-axis,
  node-d3-brush,
@@ -381,7 +381,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
 # gitlab-sidekiq was failing without puma
  puma
 Recommends: certbot,
- gitaly (>= 1.59.3~)
+ gitaly (>= 1.65.2+dfsg-1~)
 Conflicts: libruby2.3
 Description: git powered software platform to collaborate on code (non-omnibus)
  gitlab provides web based interface to host source code and track issues.

debian/gitlab-rails-console.sh

@@ -0,0 +1,12 @@
+#! /bin/sh
+
+set -e
+
+# Read debian specific configuration
+. /etc/gitlab-common/gitlab-common.conf
+. /etc/gitlab/gitlab-debian.conf
+export DB RAILS_ENV
+
+cd /usr/share/gitlab
+
+runuser -u ${gitlab_user} -- sh -c "/usr/bin/bundle exec rails console -e production"

debian/gitlab.install

@@ -11,6 +11,7 @@ debian/conf/nginx.conf.example usr/lib/gitlab/templates
 debian/conf/nginx.ssl.conf.example usr/lib/gitlab/templates
 debian/rake-tasks.sh usr/lib/gitlab/scripts
 debian/gitlab-rake.sh usr/lib/gitlab/scripts
+debian/gitlab-rails-console.sh usr/lib/gitlab/scripts
 babel.config.js usr/share/gitlab
 app usr/share/gitlab
 bin usr/share/gitlab

debian/gitlab.links

@@ -31,3 +31,4 @@ usr/share/javascript/fuzzaldrin/fuzzaldrin-plus.js usr/share/gitlab/vendor/asset
 /var/lib/gitlab/.gitlab_shell_secret    /usr/share/gitlab/.gitlab_shell_secret
 /var/lib/gitlab/Gemfile.lock    /usr/share/gitlab/Gemfile.lock
 /usr/lib/gitlab/scripts/gitlab-rake.sh  /usr/sbin/gitlab-rake
+/usr/lib/gitlab/scripts/gitlab-rails-console.sh  /usr/sbin/gitlab-rails-console

debian/patches/0482-relax-gitlab-labkit.patch

@@ -0,0 +1,11 @@
+--- a/Gemfile
++++ b/Gemfile
+@@ -276,7 +276,7 @@
+ gem 'premailer-rails', '~> 1.9', '>=1.9.7'
+ 
+ # LabKit: Tracing and Correlation
+-gem 'gitlab-labkit', '~> 0.4.2'
++gem 'gitlab-labkit', '~> 0.5'
+ 
+ # I18n
+ gem 'ruby_parser', '~> 3.8', require: false

debian/patches/0760-bump-rubyzip.patch

@@ -0,0 +1,36 @@
+Description: This patch bumps rubyzip to 2.0.
+Author: Utkarsh Gupta <guptautkarsh2102@gmail.com>
+Bug-Debian: https://bugs.debian.org/944906
+Last-Update: 2019-11-19
+
+--- a/Gemfile
++++ b/Gemfile
+@@ -61,7 +61,7 @@
+ 
+ # GitLab Pages
+ gem 'validates_hostname', '~> 1.0', '>= 1.0.6'
+-gem 'rubyzip', '~> 1.2', '>= 1.2.2', require: 'zip'
++gem 'rubyzip', '~> 2.0', '>= 2.0.0', require: 'zip'
+ # GitLab Pages letsencrypt support
+ gem 'acme-client', '~> 2.0', '>= 2.0.2'
+ 
+--- a/Gemfile.lock
++++ b/Gemfile.lock
+@@ -845,7 +845,7 @@
+       sexp_processor (~> 4.9)
+     rubyntlm (0.6.2)
+     rubypants (0.2.0)
+-    rubyzip (1.2.2)
++    rubyzip (2.0.0)
+     rugged (0.28.3.1)
+     safe_yaml (1.0.4)
+     sanitize (4.6.6)
+@@ -1220,7 +1220,7 @@
+   ruby-prof (~> 0.17.0)
+   ruby-progressbar
+   ruby_parser (~> 3.8)
+-  rubyzip (~> 1.2.2)
++  rubyzip (~> 2.0.0)
+   rugged (~> 0.28)
+   sanitize (~> 4.6)
+   sassc-rails (~> 2.1.0)

debian/patches/0770-bump-node-d3.patch

@@ -0,0 +1,43 @@
+From fd28d39ac35ec6123272d20ade21025403b38b78 Mon Sep 17 00:00:00 2001
+From: Pirate Praveen <praveen@debian.org>
+Date: Fri, 18 Oct 2019 11:20:19 +0000
+Subject: [PATCH 1/2] Update d3 node module 4.13 -> 5.12
+
+---
+ package.json |   2 +-
+ yarn.lock    | 130 +++++++++++++++------------------------------------
+ 2 files changed, 38 insertions(+), 94 deletions(-)
+
+--- a/package.json
++++ b/package.json
+@@ -61,7 +61,7 @@
+     "core-js": "^3.1.3",
+     "cropper": "^2.3.0",
+     "css-loader": "^1.0.0",
+-    "d3": "^4.13.0",
++    "d3": "^5.12.0",
+     "d3-array": "^1.2.1",
+     "d3-axis": "^1.0.8",
+     "d3-brush": "^1.0.4",
+--- a/app/assets/javascripts/vue_shared/components/bar_chart.vue
++++ b/app/assets/javascripts/vue_shared/components/bar_chart.vue
+@@ -124,9 +124,7 @@
+     },
+   },
+   mounted() {
+-    if (!this.allValuesEmpty) {
+-      this.draw();
+-    }
++    this.draw();
+   },
+   methods: {
+     draw() {
+@@ -153,7 +151,7 @@
+       this.yScale = d3.scaleLinear().rangeRound([this.vbHeight, 0]);
+ 
+       this.xScale.domain(this.graphData.map(d => d.name));
+-      this.yScale.domain([0, d3.max(this.graphData.map(d => d.value))]);
++      this.yScale.domain([0, d3.max(this.graphData.map(d => d.value)) || Infinity]);
+ 
+       // Zoom/Panning Function
+       this.zoom = d3

debian/patches/CVE-2019-19254.patch

@@ -0,0 +1,154 @@
+From 5bdfcaa1c268aa475a11480a0ae33691f73a1a96 Mon Sep 17 00:00:00 2001
+From: Brandon Labuschagne <blabuschagne@gitlab.com>
+Date: Fri, 15 Nov 2019 14:39:29 +0000
+Subject: [PATCH 1/2] Ensure that summary items remain aligned
+
+Default number of items is 3. If this is not the case,
+then increase the column width of the summary items
+to cater for 2 items plus the date filter.
+---
+ .../javascripts/cycle_analytics/cycle_analytics_bundle.js   | 6 ++++++
+ app/views/projects/cycle_analytics/show.html.haml           | 4 ++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/app/assets/javascripts/cycle_analytics/cycle_analytics_bundle.js
++++ b/app/assets/javascripts/cycle_analytics/cycle_analytics_bundle.js
+@@ -56,10 +56,16 @@
+         service: this.createCycleAnalyticsService(cycleAnalyticsEl.dataset.requestPath),
+       };
+     },
++    defaultNumberOfSummaryItems: 3,
+     computed: {
+       currentStage() {
+         return this.store.currentActiveStage();
+       },
++      summaryTableColumnClass() {
++        return this.state.summary.length === this.$options.defaultNumberOfSummaryItems
++          ? 'col-sm-3'
++          : 'col-sm-4';
++      },
+     },
+     created() {
+       // Conditional check placed here to prevent this method from being called on the
+--- a/app/views/projects/cycle_analytics/show.html.haml
++++ b/app/views/projects/cycle_analytics/show.html.haml
+@@ -14,10 +14,10 @@
+       .content-block
+         .container-fluid
+           .row
+-            .col-sm-3.col-12.column{ "v-for" => "item in state.summary" }
++            .col-12.column{ "v-for" => "item in state.summary", ":class" => "summaryTableColumnClass" }
+               %h3.header {{ item.value }}
+               %p.text {{ item.title }}
+-            .col-sm-3.col-12.column
++            .col-12.column{ ":class" => "summaryTableColumnClass" }
+               .dropdown.inline.js-ca-dropdown
+                 %button.dropdown-menu-toggle{ "data-toggle" => "dropdown", :type => "button" }
+                   %span.dropdown-label {{ n__('Last %d day', 'Last %d days', 30) }}
+--- /dev/null
++++ b/changelogs/unreleased/security-ag-cycle-analytics-guest-permissions.yml
+@@ -0,0 +1,5 @@
++---
++title: Hide commit counts from guest users in Cycle Analytics.
++merge_request:
++author:
++type: security
+--- a/lib/gitlab/cycle_analytics/stage_summary.rb
++++ b/lib/gitlab/cycle_analytics/stage_summary.rb
+@@ -10,13 +10,29 @@
+       end
+ 
+       def data
+-        [serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user)),
+-         serialize(Summary::Commit.new(project: @project, from: @from)),
+-         serialize(Summary::Deploy.new(project: @project, from: @from))]
++        summary = [issue_stats]
++        summary << commit_stats if user_has_sufficient_access?
++        summary << deploy_stats
+       end
+ 
+       private
+ 
++      def issue_stats
++        serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user))
++      end
++
++      def commit_stats
++        serialize(Summary::Commit.new(project: @project, from: @from))
++      end
++
++      def deploy_stats
++        serialize(Summary::Deploy.new(project: @project, from: @from))
++      end
++
++      def user_has_sufficient_access?
++        @project.team.member?(@current_user, Gitlab::Access::REPORTER)
++      end
++
+       def serialize(summary_object)
+         AnalyticsSummarySerializer.new.represent(summary_object)
+       end
+--- a/spec/features/cycle_analytics_spec.rb
++++ b/spec/features/cycle_analytics_spec.rb
+@@ -108,6 +108,10 @@
+       wait_for_requests
+     end
+ 
++    it 'does not show the commit stats' do
++      expect(page).to have_no_selector(:xpath, commits_counter_selector)
++    end
++
+     it 'needs permissions to see restricted stages' do
+       expect(find('.stage-events')).to have_content(issue.title)
+ 
+@@ -123,8 +127,12 @@
+     find(:xpath, "//p[contains(text(),'New Issue')]/preceding-sibling::h3")
+   end
+ 
++  def commits_counter_selector
++    "//p[contains(text(),'Commits')]/preceding-sibling::h3"
++  end
++
+   def commits_counter
+-    find(:xpath, "//p[contains(text(),'Commits')]/preceding-sibling::h3")
++    find(:xpath, commits_counter_selector)
+   end
+ 
+   def deploys_counter
+--- a/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb
++++ b/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb
+@@ -8,6 +8,10 @@
+   let(:user) { create(:user, :admin) }
+   subject { described_class.new(project, from: Time.now, current_user: user).data }
+ 
++  before do
++    project.add_maintainer(user)
++  end
++
+   describe "#new_issues" do
+     it "finds the number of issues created after the 'from date'" do
+       Timecop.freeze(5.days.ago) { create(:issue, project: project) }
+@@ -42,6 +46,23 @@
+ 
+       expect(subject.second[:value]).to eq(100)
+     end
++
++    context 'when a guest user is signed in' do
++      let(:guest_user) { create(:user) }
++
++      before do
++        project.add_guest(guest_user)
++      end
++
++      it 'does not include commit stats' do
++        data = described_class.new(project, from: from, current_user: guest_user).data
++        expect(includes_commits?(data)).to be_falsy
++      end
++
++      def includes_commits?(data)
++        data.any? { |h| h["title"] == 'Commits' }
++      end
++    end
+   end
+ 
+   describe "#deploys" do

debian/patches/CVE-2019-19257.patch

@@ -0,0 +1,181 @@
+From debb36496b4805beae28262fbb24a692018178e2 Mon Sep 17 00:00:00 2001
+From: Kerri Miller <kerrizor@kerrizor.com>
+Date: Fri, 25 Oct 2019 07:46:40 -0500
+Subject: [PATCH] Restrict branches visible to guests in Issue feed
+
+Notes related to branch creation should not be shown in an issue's
+activity feed when the user doesn't have access to :download_code.
+---
+ app/models/note.rb                            | 15 ++++-
+ ...er-related-branches-from-activity-feed.yml |  6 ++
+ .../projects/issues_controller_spec.rb        | 37 +++++++++++
+ spec/models/note_spec.rb                      | 64 +++++++++++++++++++
+ 4 files changed, 121 insertions(+), 1 deletion(-)
+ create mode 100644 changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml
+
+--- a/app/models/note.rb
++++ b/app/models/note.rb
+@@ -40,6 +40,10 @@
+ 
+   redact_field :note
+ 
++  TYPES_RESTRICTED_BY_ABILITY = {
++    branch: :download_code
++  }.freeze
++
+   # Aliases to make application_helper#edited_time_ago_with_tooltip helper work properly with notes.
+   # See https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/10392/diffs#note_28719102
+   alias_attribute :last_edited_at, :updated_at
+@@ -333,7 +337,7 @@
+   end
+ 
+   def visible_for?(user)
+-    !cross_reference_not_visible_for?(user)
++    !cross_reference_not_visible_for?(user) && system_note_viewable_by?(user)
+   end
+ 
+   def award_emoji?
+@@ -485,6 +489,15 @@
+ 
+   private
+ 
++  def system_note_viewable_by?(user)
++    return true unless system_note_metadata
++
++    restriction = TYPES_RESTRICTED_BY_ABILITY[system_note_metadata.action.to_sym]
++    return Ability.allowed?(user, restriction, project) if restriction
++
++    true
++  end
++
+   def keep_around_commit
+     project.repository.keep_around(self.commit_id)
+   end
+--- /dev/null
++++ b/changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml
+@@ -0,0 +1,6 @@
++---
++title: Remove notes regarding Related Branches from Issue activity feeds for guest
++  users
++merge_request:
++author:
++type: security
+--- a/spec/controllers/projects/issues_controller_spec.rb
++++ b/spec/controllers/projects/issues_controller_spec.rb
+@@ -1343,6 +1343,43 @@
+           expect { get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid } }.not_to exceed_query_limit(control_count)
+         end
+       end
++
++      context 'private project' do
++        let!(:branch_note) { create(:discussion_note_on_issue, :system, noteable: issue, project: project) }
++        let!(:commit_note) { create(:discussion_note_on_issue, :system, noteable: issue, project: project) }
++        let!(:branch_note_meta) { create(:system_note_metadata, note: branch_note, action: "branch") }
++        let!(:commit_note_meta) { create(:system_note_metadata, note: commit_note, action: "commit") }
++
++        context 'user is allowed access' do
++          before do
++            project.add_user(user, :maintainer)
++          end
++
++          it 'displays all available notes' do
++            get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid }
++
++            expect(json_response.length).to eq(3)
++          end
++        end
++
++        context 'user is a guest' do
++          let(:json_response_note_ids) do
++            json_response.collect { |discussion| discussion["notes"] }.flatten
++              .collect { |note| note["id"].to_i }
++          end
++
++          before do
++            project.add_guest(user)
++          end
++
++          it 'does not display notes w/type listed in TYPES_RESTRICTED_BY_ACCESS_LEVEL' do
++            get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid }
++
++            expect(json_response.length).to eq(2)
++            expect(json_response_note_ids).not_to include(branch_note.id)
++          end
++        end
++      end
+     end
+   end
+ 
+--- a/spec/models/note_spec.rb
++++ b/spec/models/note_spec.rb
+@@ -246,6 +246,70 @@
+     end
+   end
+ 
++  describe "#visible_for?" do
++    using RSpec::Parameterized::TableSyntax
++
++    let(:note) { create(:note) }
++    let(:user) { create(:user) }
++
++    where(:cross_reference_visible, :system_note_viewable, :result) do
++      true  | true  | false
++      false | true  | true
++      false | false | false
++    end
++
++    with_them do
++      it "returns expected result" do
++        expect(note).to receive(:cross_reference_not_visible_for?).and_return(cross_reference_visible)
++
++        unless cross_reference_visible
++          expect(note).to receive(:system_note_viewable_by?)
++            .with(user).and_return(system_note_viewable)
++        end
++
++        expect(note.visible_for?(user)).to eq result
++      end
++    end
++  end
++
++  describe "#system_note_viewable_by?(user)" do
++    let(:note) { create(:note) }
++    let(:user) { create(:user) }
++    let!(:metadata) { create(:system_note_metadata, note: note, action: "branch") }
++
++    context "when system_note_metadata is not present" do
++      it "returns true" do
++        expect(note).to receive(:system_note_metadata).and_return(nil)
++
++        expect(note.send(:system_note_viewable_by?, user)).to be_truthy
++      end
++    end
++
++    context "system_note_metadata isn't of type 'branch'" do
++      before do
++        metadata.action = "not_a_branch"
++      end
++
++      it "returns true" do
++        expect(note.send(:system_note_viewable_by?, user)).to be_truthy
++      end
++    end
++
++    context "user doesn't have :download_code ability" do
++      it "returns false" do
++        expect(note.send(:system_note_viewable_by?, user)).to be_falsey
++      end
++    end
++
++    context "user has the :download_code ability" do
++      it "returns true" do
++        expect(Ability).to receive(:allowed?).with(user, :download_code, note.project).and_return(true)
++
++        expect(note.send(:system_note_viewable_by?, user)).to be_truthy
++      end
++    end
++  end
++
+   describe "cross_reference_not_visible_for?" do
+     let(:private_user)    { create(:user) }
+     let(:private_project) { create(:project, namespace: private_user.namespace) { |p| p.add_maintainer(private_user) } }

debian/patches/series

@@ -10,6 +10,7 @@
 0470-relax-bootsnap.patch
 0480-embed-snowplow-tracker.patch
 0481-relax-contracts-dependency-of-snowplow.patch
+0482-relax-gitlab-labkit.patch
 0500-set-webpack-root.patch
 0510-remove-dev-dependencies.patch
 0520-add-system-lib-path-for-webpack.patch
@@ -25,3 +26,7 @@
 0730-install-graphql-tag.patch
 0740-use-packaged-modules.patch
 0750-fix-relative-paths.patch
+0760-bump-rubyzip.patch
+0770-bump-node-d3.patch
+CVE-2019-19254.patch
+CVE-2019-19257.patch

debian/rake-tasks.sh

@@ -33,7 +33,7 @@ echo "Installing node modules..."
 runuser -u ${gitlab_user} -- sh -c 'install -d /var/lib/gitlab/.node_modules'
 runuser -u ${gitlab_user} -- sh -c 'yarnpkg install'
 # Remove write permissions of .yarn-metadata.json files
-runuser -u ${gitlab_user} -- sh -c 'find /var/lib/gitlab/.cache/yarn/v4/ -name .yarn-metadata.json -perm -a=w -exec chmod 644 {} \;'
+runuser -u ${gitlab_user} -- sh -c 'find /var/lib/gitlab/.cache/yarn/v6/ -name .yarn-metadata.json -perm -a=w -exec chmod 644 {} \;'
 
 echo "Precompiling locales..."
 runuser -u ${gitlab_user} -- sh -c '/usr/bin/bundle exec rake gettext:po_to_json'