From e261f2f0ba4ae41e74a5bf9c4bc655e013c1f269 Mon Sep 17 00:00:00 2001 From: Pirate Praveen Date: Wed, 4 Dec 2019 21:09:36 +0530 Subject: [PATCH] Refresh patches --- debian/patches/0050-relax-stable-libs.patch | 77 ++++---- .../0100-remove-development-test.patch | 9 +- ...0-make-test-dependencies-conditional.patch | 4 +- debian/patches/0340-relax-httparty.patch | 2 +- .../patches/0430-remove-gitlab-markup.patch | 2 +- debian/patches/0440-remove-puma.patch | 2 +- debian/patches/0450-remove-bullet.patch | 2 +- .../0460-embed-derailed-benchmarks.patch | 2 +- .../patches/0480-embed-snowplow-tracker.patch | 4 +- debian/patches/0482-relax-gitlab-labkit.patch | 11 -- .../0510-remove-dev-dependencies.patch | 11 +- ...0520-add-system-lib-path-for-webpack.patch | 2 +- debian/patches/0730-install-graphql-tag.patch | 2 +- .../patches/0740-use-packaged-modules.patch | 11 +- debian/patches/0750-fix-relative-paths.patch | 4 +- debian/patches/0760-bump-rubyzip.patch | 8 +- debian/patches/0770-bump-node-d3.patch | 2 +- debian/patches/CVE-2019-19254.patch | 154 --------------- debian/patches/CVE-2019-19257.patch | 181 ------------------ debian/patches/series | 3 - 20 files changed, 74 insertions(+), 419 deletions(-) delete mode 100644 debian/patches/0482-relax-gitlab-labkit.patch delete mode 100644 debian/patches/CVE-2019-19254.patch delete mode 100644 debian/patches/CVE-2019-19257.patch diff --git a/debian/patches/0050-relax-stable-libs.patch b/debian/patches/0050-relax-stable-libs.patch index 04c4669ecc..07b63a7731 100644 --- a/debian/patches/0050-relax-stable-libs.patch +++ b/debian/patches/0050-relax-stable-libs.patch @@ -49,9 +49,9 @@ gitlab Gemfile +gem 'rack-oauth2', '~> 1.9', '>= 1.9.3' +gem 'jwt', '~> 2.1' - # Spam and anti-bot protection - gem 'recaptcha', '~> 4.11', require: 'recaptcha/rails' -@@ -54,38 +54,38 @@ + # Kerberos authentication. EE-only + gem 'gssapi', group: :kerberos +@@ -57,41 +57,41 @@ gem 'invisible_captcha', '~> 0.12.1' # Two-factor authentication @@ -93,16 +93,19 @@ gitlab Gemfile +gem 'rack-cors', '~> 1.0', require: 'rack/cors' # GraphQL API --gem 'graphql', '~> 1.8.0' +-gem 'graphql', '~> 1.9.11' ++gem 'graphql', '~> 1.9', '>= 1.9.11' + # NOTE: graphiql-rails v1.5+ doesn't work: https://gitlab.com/gitlab-org/gitlab-ce/issues/67293 + # TODO: remove app/views/graphiql/rails/editors/show.html.erb when https://github.com/rmosolgo/graphiql-rails/pull/71 is released: + # https://gitlab.com/gitlab-org/gitlab-ce/issues/67263 -gem 'graphiql-rails', '~> 1.4.10' -gem 'apollo_upload_server', '~> 2.0.0.beta3' -+gem 'graphql', '~> 1.8' +gem 'graphiql-rails', '~> 1.4', '>= 1.4.10' +gem 'apollo_upload_server', '>= 2.0.0.beta3' gem 'graphql-docs', '~> 1.6.0', group: [:development, :test] # Disable strong_params so that Mash does not respond to :permitted? -@@ -95,7 +95,7 @@ +@@ -101,7 +101,7 @@ gem 'kaminari', '~> 1.0' # HAML @@ -111,22 +114,26 @@ gitlab Gemfile # Files attachments gem 'carrierwave', '~> 1.3' -@@ -105,7 +105,7 @@ +@@ -111,7 +111,7 @@ gem 'fog-aws', '~> 3.5' # Locked until fog-google resolves https://github.com/fog/fog-google/issues/421. # Also see config/initializers/fog_core_patch.rb. -gem 'fog-core', '= 2.1.0' +gem 'fog-core', '= 2.1' - gem 'fog-google', '~> 1.8' + gem 'fog-google', '~> 1.9' gem 'fog-local', '~> 0.6' gem 'fog-openstack', '~> 1.0' -@@ -119,39 +119,39 @@ +@@ -125,7 +125,7 @@ gem 'unf', '~> 0.1.4' # Seed data -gem 'seed-fu', '~> 2.3.7' +gem 'seed-fu', '~> 2.3', '>= 2.3.7' + # Search + gem 'elasticsearch-model', '~> 0.1.9' +@@ -136,35 +136,35 @@ + # Markdown and HTML processing gem 'html-pipeline', '~> 2.8' -gem 'deckar01-task_list', '2.2.0' @@ -171,7 +178,7 @@ gitlab Gemfile gem 'unicorn-worker-killer', '~> 0.4.4' end -@@ -168,13 +168,13 @@ +@@ -181,13 +181,13 @@ gem 'acts-as-taggable-on', '~> 6.0' # Background jobs @@ -180,7 +187,7 @@ gitlab Gemfile gem 'sidekiq-cron', '~> 1.0' -gem 'redis-namespace', '~> 1.6.0' +gem 'redis-namespace', '~> 1.6' - gem 'gitlab-sidekiq-fetcher', '0.5.1', require: 'sidekiq-reliable-fetch' + gem 'gitlab-sidekiq-fetcher', '0.5.2', require: 'sidekiq-reliable-fetch' # Cron Parser -gem 'fugit', '~> 1.2.1' @@ -188,7 +195,7 @@ gitlab Gemfile # HTTP requests gem 'httparty', '~> 0.16.4' -@@ -186,14 +186,14 @@ +@@ -199,14 +199,14 @@ gem 'ruby-progressbar' # GitLab settings @@ -206,7 +213,7 @@ gitlab Gemfile # Export Ruby Regex to Javascript gem 'js_regex', '~> 3.1' -@@ -206,13 +206,13 @@ +@@ -219,13 +219,13 @@ gem 'connection_pool', '~> 2.0' # Redis session store @@ -221,8 +228,8 @@ gitlab Gemfile +gem 'hipchat', '~> 1.5' # Jira integration - gem 'jira-ruby', '~> 1.4' -@@ -221,7 +221,7 @@ + gem 'jira-ruby', '~> 1.7' +@@ -235,7 +235,7 @@ gem 'flowdock', '~> 0.7' # Slack integration @@ -231,12 +238,12 @@ gitlab Gemfile # Hangouts Chat integration gem 'hangouts-chat', '~> 0.0.5' -@@ -233,11 +233,11 @@ +@@ -247,11 +247,11 @@ gem 'ruby-fogbugz', '~> 0.2.1' # Kubernetes integration --gem 'kubeclient', '~> 4.2.2' -+gem 'kubeclient', '~> 4.2', '>= 4.2.2' +-gem 'kubeclient', '~> 4.4.0' ++gem 'kubeclient', '~> 4.4' # Sanitize user input gem 'sanitize', '~> 4.6' @@ -245,7 +252,7 @@ gitlab Gemfile # Sanitizes SVG input gem 'loofah', '~> 2.2' -@@ -246,10 +246,10 @@ +@@ -260,10 +260,10 @@ gem 'licensee', '~> 8.9' # Protect against bruteforcing @@ -258,7 +265,7 @@ gitlab Gemfile # Detect and convert string character encoding gem 'charlock_holmes', '~> 0.7.5' -@@ -267,21 +267,21 @@ +@@ -281,10 +281,10 @@ gem 'webpack-rails', '~> 0.9.10' gem 'rack-proxy', '~> 0.6.0' @@ -272,11 +279,7 @@ gitlab Gemfile gem 'font-awesome-rails', '~> 4.7' gem 'gemojione', '~> 3.3' gem 'gon', '~> 6.2' - gem 'request_store', '~> 1.3' --gem 'virtus', '~> 1.0.1' -+gem 'virtus', '~> 1.0', '>=1.0.1' - gem 'base32', '~> 0.3.0' - +@@ -296,7 +296,7 @@ # Sentry integration gem 'sentry-raven', '~> 2.9' @@ -284,8 +287,8 @@ gitlab Gemfile +gem 'premailer-rails', '~> 1.9', '>=1.9.7' # LabKit: Tracing and Correlation - gem 'gitlab-labkit', '~> 0.4.2' -@@ -289,14 +289,14 @@ + gem 'gitlab-labkit', '~> 0.5' +@@ -304,11 +304,11 @@ # I18n gem 'ruby_parser', '~> 3.8', require: false gem 'rails-i18n', '~> 5.1' @@ -299,12 +302,8 @@ gitlab Gemfile +gem 'batch-loader', '~> 1.4' # Perf bar --gem 'peek', '~> 1.0.1' -+gem 'peek', '~> 1.0', '>= 1.0.1' - - # Snowplow events tracking - gem 'snowplow-tracker', '~> 0.6.1' -@@ -330,39 +330,39 @@ + # https://gitlab.com/gitlab-org/gitlab-ee/issues/13996 +@@ -347,62 +347,62 @@ end group :development, :test do @@ -357,16 +356,14 @@ gitlab Gemfile gem 'scss_lint', '~> 0.56.0', require: false gem 'haml_lint', '~> 0.31.0', require: false -@@ -370,7 +370,7 @@ + gem 'simplecov', '~> 0.16.1', require: false gem 'bundler-audit', '~> 0.5.0', require: false - gem 'mdl', '~> 0.5.0', require: false - gem 'benchmark-ips', '~> 2.3.0', require: false + gem 'benchmark-ips', '~> 2.3', require: false gem 'license_finder', '~> 5.4', require: false gem 'knapsack', '~> 1.17' -@@ -379,16 +379,16 @@ gem 'stackprof', '~> 0.2.10', require: false @@ -388,7 +385,7 @@ gitlab Gemfile gem 'rails-controller-testing' gem 'concurrent-ruby', '~> 1.1' gem 'test-prof', '~> 0.2.5' -@@ -412,11 +412,11 @@ +@@ -426,11 +426,11 @@ gem 'oauth2', '~> 1.4' # Health check @@ -401,9 +398,9 @@ gitlab Gemfile +gem 'vmstat', '~> 2.3' +gem 'sys-filesystem', '~> 1.1', '>= 1.1.6' - # SSH host key support - gem 'net-ssh', '~> 5.2' -@@ -429,13 +429,13 @@ + # NTP client + gem 'net-ntp' +@@ -446,13 +446,13 @@ end # Gitaly GRPC protocol definitions diff --git a/debian/patches/0100-remove-development-test.patch b/debian/patches/0100-remove-development-test.patch index 2f0715c205..e49b643f34 100644 --- a/debian/patches/0100-remove-development-test.patch +++ b/debian/patches/0100-remove-development-test.patch @@ -2,15 +2,15 @@ Bundler will fail when it can't find these locally --- a/Gemfile +++ b/Gemfile -@@ -86,7 +86,6 @@ - gem 'graphql', '~> 1.8' +@@ -92,7 +92,6 @@ + # https://gitlab.com/gitlab-org/gitlab-ce/issues/67263 gem 'graphiql-rails', '~> 1.4', '>= 1.4.10' gem 'apollo_upload_server', '>= 2.0.0.beta3' -gem 'graphql-docs', '~> 1.6.0', group: [:development, :test] # Disable strong_params so that Mash does not respond to :permitted? gem 'hashie-forbidden_attributes' -@@ -291,7 +290,6 @@ +@@ -306,7 +305,6 @@ gem 'rails-i18n', '~> 5.1' gem 'gettext_i18n_rails', '~> 1.8' gem 'gettext_i18n_rails_js', '~> 1.3' @@ -18,13 +18,14 @@ Bundler will fail when it can't find these locally gem 'batch-loader', '~> 1.4' -@@ -314,21 +312,6 @@ +@@ -330,22 +328,6 @@ gem 'raindrops', '~> 0.18' end -group :development do - gem 'foreman', '~> 0.84.0' - gem 'brakeman', '~> 4.2', require: false +- gem 'danger', '~> 6.0', require: false - - gem 'letter_opener_web', '~> 1.3.4' - gem 'rblineprof', '~> 0.3.6', platform: :mri, require: false diff --git a/debian/patches/0110-make-test-dependencies-conditional.patch b/debian/patches/0110-make-test-dependencies-conditional.patch index f132e07263..230057d9b7 100644 --- a/debian/patches/0110-make-test-dependencies-conditional.patch +++ b/debian/patches/0110-make-test-dependencies-conditional.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -312,7 +312,7 @@ +@@ -328,7 +328,7 @@ gem 'raindrops', '~> 0.18' end @@ -9,7 +9,7 @@ gem 'bullet', '~> 5.5', require: !!ENV['ENABLE_BULLET'] gem 'pry-byebug', '~> 3.5', '>= 3.5.1', platform: :mri gem 'pry-rails', '~> 0.3.4' -@@ -365,9 +365,7 @@ +@@ -378,9 +378,7 @@ gem 'simple_po_parser', '~> 1.1', '>= 1.1.2', require: false gem 'timecop', '~> 0.8.0' diff --git a/debian/patches/0340-relax-httparty.patch b/debian/patches/0340-relax-httparty.patch index 0d3717ba18..351c508779 100644 --- a/debian/patches/0340-relax-httparty.patch +++ b/debian/patches/0340-relax-httparty.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -176,7 +176,7 @@ +@@ -189,7 +189,7 @@ gem 'fugit', '~> 1.2', '>= 1.2.1' # HTTP requests diff --git a/debian/patches/0430-remove-gitlab-markup.patch b/debian/patches/0430-remove-gitlab-markup.patch index 3d0369ea9e..e84492f4c4 100644 --- a/debian/patches/0430-remove-gitlab-markup.patch +++ b/debian/patches/0430-remove-gitlab-markup.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -123,7 +123,6 @@ +@@ -136,7 +136,6 @@ # Markdown and HTML processing gem 'html-pipeline', '~> 2.8' gem 'deckar01-task_list', '2.2' diff --git a/debian/patches/0440-remove-puma.patch b/debian/patches/0440-remove-puma.patch index e4dcdb1b2e..13fd854215 100644 --- a/debian/patches/0440-remove-puma.patch +++ b/debian/patches/0440-remove-puma.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -153,12 +153,6 @@ +@@ -166,12 +166,6 @@ gem 'unicorn-worker-killer', '~> 0.4.4' end diff --git a/debian/patches/0450-remove-bullet.patch b/debian/patches/0450-remove-bullet.patch index ea05de9a11..be78340a1c 100644 --- a/debian/patches/0450-remove-bullet.patch +++ b/debian/patches/0450-remove-bullet.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -306,7 +306,6 @@ +@@ -322,7 +322,6 @@ end if ENV["INCLUDE_TEST_DEPENDS"] == "true" diff --git a/debian/patches/0460-embed-derailed-benchmarks.patch b/debian/patches/0460-embed-derailed-benchmarks.patch index e295bb7d7c..449b5065cd 100644 --- a/debian/patches/0460-embed-derailed-benchmarks.patch +++ b/debian/patches/0460-embed-derailed-benchmarks.patch @@ -1,6 +1,6 @@ --- a/Gemfile +++ b/Gemfile -@@ -293,7 +293,8 @@ +@@ -309,7 +309,8 @@ gem 'snowplow-tracker', '~> 0.6.1' # Memory benchmarks diff --git a/debian/patches/0480-embed-snowplow-tracker.patch b/debian/patches/0480-embed-snowplow-tracker.patch index 60bcd04858..7bfe306a1a 100644 --- a/debian/patches/0480-embed-snowplow-tracker.patch +++ b/debian/patches/0480-embed-snowplow-tracker.patch @@ -1,7 +1,7 @@ --- a/Gemfile +++ b/Gemfile -@@ -290,7 +290,7 @@ - gem 'peek', '~> 1.0', '>= 1.0.1' +@@ -306,7 +306,7 @@ + gem 'gitlab-peek', '~> 0.0.1', require: 'peek' # Snowplow events tracking -gem 'snowplow-tracker', '~> 0.6.1' diff --git a/debian/patches/0482-relax-gitlab-labkit.patch b/debian/patches/0482-relax-gitlab-labkit.patch deleted file mode 100644 index 7325b1165e..0000000000 --- a/debian/patches/0482-relax-gitlab-labkit.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/Gemfile -+++ b/Gemfile -@@ -276,7 +276,7 @@ - gem 'premailer-rails', '~> 1.9', '>=1.9.7' - - # LabKit: Tracing and Correlation --gem 'gitlab-labkit', '~> 0.4.2' -+gem 'gitlab-labkit', '~> 0.5' - - # I18n - gem 'ruby_parser', '~> 3.8', require: false diff --git a/debian/patches/0510-remove-dev-dependencies.patch b/debian/patches/0510-remove-dev-dependencies.patch index c60850bce3..a0ef7a8be7 100644 --- a/debian/patches/0510-remove-dev-dependencies.patch +++ b/debian/patches/0510-remove-dev-dependencies.patch @@ -1,10 +1,10 @@ --- a/package.json +++ b/package.json -@@ -145,60 +145,6 @@ +@@ -147,62 +147,7 @@ "xterm": "^3.5.0" }, "devDependencies": { -- "@babel/plugin-transform-modules-commonjs": "^7.2.0", +- "@babel/plugin-transform-modules-commonjs": "^7.5.0", - "@gitlab/eslint-config": "^1.6.0", - "@gitlab/eslint-plugin-i18n": "^1.1.0", - "@gitlab/eslint-plugin-vue-i18n": "^1.2.0", @@ -21,7 +21,6 @@ - "eslint": "~5.9.0", - "eslint-import-resolver-jest": "^2.1.1", - "eslint-import-resolver-webpack": "^0.10.1", -- "eslint-plugin-html": "5.0.0", - "eslint-plugin-import": "^2.14.0", - "eslint-plugin-jasmine": "^2.10.1", - "eslint-plugin-jest": "^22.3.0", @@ -45,6 +44,7 @@ - "karma-mocha-reporter": "^2.2.5", - "karma-sourcemap-loader": "^0.3.7", - "karma-webpack": "^4.0.2", +- "markdownlint-cli": "0.18.0", - "md5": "^2.2.1", - "node-sass": "^4.12.0", - "nodemon": "^1.18.9", @@ -55,9 +55,12 @@ - "stylelint": "^10.1.0", - "stylelint-config-recommended": "^2.2.0", - "stylelint-scss": "^3.9.2", +- "timezone-mock": "^1.0.8", - "vue-jest": "^4.0.0-beta.2", - "webpack-dev-server": "^3.1.14", - "yarn-deduplicate": "^1.1.1" - }, +- }, ++ }, "resolutions": { "vue-jest/ts-jest": "24.0.0" + }, diff --git a/debian/patches/0520-add-system-lib-path-for-webpack.patch b/debian/patches/0520-add-system-lib-path-for-webpack.patch index d872ee45bb..bf9293b052 100644 --- a/debian/patches/0520-add-system-lib-path-for-webpack.patch +++ b/debian/patches/0520-add-system-lib-path-for-webpack.patch @@ -1,6 +1,6 @@ --- a/config/webpack.config.js +++ b/config/webpack.config.js -@@ -126,9 +126,14 @@ +@@ -127,9 +127,14 @@ resolve: { extensions: ['.js', '.gql', '.graphql'], diff --git a/debian/patches/0730-install-graphql-tag.patch b/debian/patches/0730-install-graphql-tag.patch index 7f328cd498..19375bd1ae 100644 --- a/debian/patches/0730-install-graphql-tag.patch +++ b/debian/patches/0730-install-graphql-tag.patch @@ -3,7 +3,7 @@ Author: Utkarsh Gupta --- a/package.json +++ b/package.json -@@ -85,6 +85,7 @@ +@@ -86,6 +86,7 @@ "fuzzaldrin-plus": "^0.5.0", "glob": "^7.1.2", "graphql": "^14.0.2", diff --git a/debian/patches/0740-use-packaged-modules.patch b/debian/patches/0740-use-packaged-modules.patch index de590f970d..2e99649557 100644 --- a/debian/patches/0740-use-packaged-modules.patch +++ b/debian/patches/0740-use-packaged-modules.patch @@ -1,12 +1,12 @@ --- a/package.json +++ b/package.json -@@ -121,28 +121,17 @@ +@@ -122,29 +122,19 @@ "style-loader": "^0.23.1", "svg4everybody": "2.1.9", "three": "^0.84.0", - "three-orbit-controls": "^82.1.0", - "three-stl-loader": "^1.0.4", -- "timeago.js": "^3.0.2", + "timeago.js": "^3.0.2", "tiptap": "^1.8.0", "tiptap-commands": "^1.4.0", "tiptap-extensions": "^1.8.0", @@ -20,6 +20,7 @@ "vue-router": "^3.0.2", "vue-template-compiler": "^2.6.10", "vue-virtual-scroll-list": "^1.3.1", + "vuedraggable": "^2.23.0", "vuex": "^3.1.0", - "webpack": "^4.29.0", - "webpack-bundle-analyzer": "^3.3.2", @@ -39,7 +40,7 @@ const CopyWebpackPlugin = require('copy-webpack-plugin'); const ROOT_PATH = '/usr/share/gitlab'; -@@ -126,12 +125,12 @@ +@@ -127,12 +126,12 @@ resolve: { extensions: ['.js', '.gql', '.graphql'], @@ -54,7 +55,7 @@ }, module: { -@@ -338,16 +337,6 @@ +@@ -370,16 +369,6 @@ // enable HMR only in webpack-dev-server DEV_SERVER_LIVERELOAD && new webpack.HotModuleReplacementPlugin(), @@ -71,7 +72,7 @@ new webpack.DefinePlugin({ // This one is used to define window.gon.ee and other things properly in tests: 'process.env.IS_GITLAB_EE': JSON.stringify(IS_EE), -@@ -373,6 +362,7 @@ +@@ -405,6 +394,7 @@ node: { fs: 'empty', // sqljs requires fs diff --git a/debian/patches/0750-fix-relative-paths.patch b/debian/patches/0750-fix-relative-paths.patch index 01018b1eac..d016c478f7 100644 --- a/debian/patches/0750-fix-relative-paths.patch +++ b/debian/patches/0750-fix-relative-paths.patch @@ -1,10 +1,12 @@ --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb -@@ -1,5 +1,5 @@ +@@ -1,6 +1,6 @@ -require_relative '../settings' -require_relative '../object_store_settings' +-require_relative '../smime_signature_settings' +require '/usr/share/gitlab/config/settings' +require '/usr/share/gitlab/config/object_store_settings' ++require '/usr/share/gitlab/config/smime_signature_settings' # Default settings Settings['ldap'] ||= Settingslogic.new({}) diff --git a/debian/patches/0760-bump-rubyzip.patch b/debian/patches/0760-bump-rubyzip.patch index d46edb1968..1677d0ff8b 100644 --- a/debian/patches/0760-bump-rubyzip.patch +++ b/debian/patches/0760-bump-rubyzip.patch @@ -5,7 +5,7 @@ Last-Update: 2019-11-19 --- a/Gemfile +++ b/Gemfile -@@ -61,7 +61,7 @@ +@@ -64,7 +64,7 @@ # GitLab Pages gem 'validates_hostname', '~> 1.0', '>= 1.0.6' @@ -16,7 +16,7 @@ Last-Update: 2019-11-19 --- a/Gemfile.lock +++ b/Gemfile.lock -@@ -845,7 +845,7 @@ +@@ -901,7 +901,7 @@ sexp_processor (~> 4.9) rubyntlm (0.6.2) rubypants (0.2.0) @@ -25,8 +25,8 @@ Last-Update: 2019-11-19 rugged (0.28.3.1) safe_yaml (1.0.4) sanitize (4.6.6) -@@ -1220,7 +1220,7 @@ - ruby-prof (~> 0.17.0) +@@ -1291,7 +1291,7 @@ + ruby-prof (~> 1.0.0) ruby-progressbar ruby_parser (~> 3.8) - rubyzip (~> 1.2.2) diff --git a/debian/patches/0770-bump-node-d3.patch b/debian/patches/0770-bump-node-d3.patch index 5639da884d..dbf56f644b 100644 --- a/debian/patches/0770-bump-node-d3.patch +++ b/debian/patches/0770-bump-node-d3.patch @@ -10,7 +10,7 @@ Subject: [PATCH 1/2] Update d3 node module 4.13 -> 5.12 --- a/package.json +++ b/package.json -@@ -61,7 +61,7 @@ +@@ -62,7 +62,7 @@ "core-js": "^3.1.3", "cropper": "^2.3.0", "css-loader": "^1.0.0", diff --git a/debian/patches/CVE-2019-19254.patch b/debian/patches/CVE-2019-19254.patch deleted file mode 100644 index 6b7403ecec..0000000000 --- a/debian/patches/CVE-2019-19254.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 5bdfcaa1c268aa475a11480a0ae33691f73a1a96 Mon Sep 17 00:00:00 2001 -From: Brandon Labuschagne -Date: Fri, 15 Nov 2019 14:39:29 +0000 -Subject: [PATCH 1/2] Ensure that summary items remain aligned - -Default number of items is 3. If this is not the case, -then increase the column width of the summary items -to cater for 2 items plus the date filter. ---- - .../javascripts/cycle_analytics/cycle_analytics_bundle.js | 6 ++++++ - app/views/projects/cycle_analytics/show.html.haml | 4 ++-- - 2 files changed, 8 insertions(+), 2 deletions(-) - ---- a/app/assets/javascripts/cycle_analytics/cycle_analytics_bundle.js -+++ b/app/assets/javascripts/cycle_analytics/cycle_analytics_bundle.js -@@ -56,10 +56,16 @@ - service: this.createCycleAnalyticsService(cycleAnalyticsEl.dataset.requestPath), - }; - }, -+ defaultNumberOfSummaryItems: 3, - computed: { - currentStage() { - return this.store.currentActiveStage(); - }, -+ summaryTableColumnClass() { -+ return this.state.summary.length === this.$options.defaultNumberOfSummaryItems -+ ? 'col-sm-3' -+ : 'col-sm-4'; -+ }, - }, - created() { - // Conditional check placed here to prevent this method from being called on the ---- a/app/views/projects/cycle_analytics/show.html.haml -+++ b/app/views/projects/cycle_analytics/show.html.haml -@@ -14,10 +14,10 @@ - .content-block - .container-fluid - .row -- .col-sm-3.col-12.column{ "v-for" => "item in state.summary" } -+ .col-12.column{ "v-for" => "item in state.summary", ":class" => "summaryTableColumnClass" } - %h3.header {{ item.value }} - %p.text {{ item.title }} -- .col-sm-3.col-12.column -+ .col-12.column{ ":class" => "summaryTableColumnClass" } - .dropdown.inline.js-ca-dropdown - %button.dropdown-menu-toggle{ "data-toggle" => "dropdown", :type => "button" } - %span.dropdown-label {{ n__('Last %d day', 'Last %d days', 30) }} ---- /dev/null -+++ b/changelogs/unreleased/security-ag-cycle-analytics-guest-permissions.yml -@@ -0,0 +1,5 @@ -+--- -+title: Hide commit counts from guest users in Cycle Analytics. -+merge_request: -+author: -+type: security ---- a/lib/gitlab/cycle_analytics/stage_summary.rb -+++ b/lib/gitlab/cycle_analytics/stage_summary.rb -@@ -10,13 +10,29 @@ - end - - def data -- [serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user)), -- serialize(Summary::Commit.new(project: @project, from: @from)), -- serialize(Summary::Deploy.new(project: @project, from: @from))] -+ summary = [issue_stats] -+ summary << commit_stats if user_has_sufficient_access? -+ summary << deploy_stats - end - - private - -+ def issue_stats -+ serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user)) -+ end -+ -+ def commit_stats -+ serialize(Summary::Commit.new(project: @project, from: @from)) -+ end -+ -+ def deploy_stats -+ serialize(Summary::Deploy.new(project: @project, from: @from)) -+ end -+ -+ def user_has_sufficient_access? -+ @project.team.member?(@current_user, Gitlab::Access::REPORTER) -+ end -+ - def serialize(summary_object) - AnalyticsSummarySerializer.new.represent(summary_object) - end ---- a/spec/features/cycle_analytics_spec.rb -+++ b/spec/features/cycle_analytics_spec.rb -@@ -108,6 +108,10 @@ - wait_for_requests - end - -+ it 'does not show the commit stats' do -+ expect(page).to have_no_selector(:xpath, commits_counter_selector) -+ end -+ - it 'needs permissions to see restricted stages' do - expect(find('.stage-events')).to have_content(issue.title) - -@@ -123,8 +127,12 @@ - find(:xpath, "//p[contains(text(),'New Issue')]/preceding-sibling::h3") - end - -+ def commits_counter_selector -+ "//p[contains(text(),'Commits')]/preceding-sibling::h3" -+ end -+ - def commits_counter -- find(:xpath, "//p[contains(text(),'Commits')]/preceding-sibling::h3") -+ find(:xpath, commits_counter_selector) - end - - def deploys_counter ---- a/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb -+++ b/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb -@@ -8,6 +8,10 @@ - let(:user) { create(:user, :admin) } - subject { described_class.new(project, from: Time.now, current_user: user).data } - -+ before do -+ project.add_maintainer(user) -+ end -+ - describe "#new_issues" do - it "finds the number of issues created after the 'from date'" do - Timecop.freeze(5.days.ago) { create(:issue, project: project) } -@@ -42,6 +46,23 @@ - - expect(subject.second[:value]).to eq(100) - end -+ -+ context 'when a guest user is signed in' do -+ let(:guest_user) { create(:user) } -+ -+ before do -+ project.add_guest(guest_user) -+ end -+ -+ it 'does not include commit stats' do -+ data = described_class.new(project, from: from, current_user: guest_user).data -+ expect(includes_commits?(data)).to be_falsy -+ end -+ -+ def includes_commits?(data) -+ data.any? { |h| h["title"] == 'Commits' } -+ end -+ end - end - - describe "#deploys" do diff --git a/debian/patches/CVE-2019-19257.patch b/debian/patches/CVE-2019-19257.patch deleted file mode 100644 index 28447b330e..0000000000 --- a/debian/patches/CVE-2019-19257.patch +++ /dev/null @@ -1,181 +0,0 @@ -From debb36496b4805beae28262fbb24a692018178e2 Mon Sep 17 00:00:00 2001 -From: Kerri Miller -Date: Fri, 25 Oct 2019 07:46:40 -0500 -Subject: [PATCH] Restrict branches visible to guests in Issue feed - -Notes related to branch creation should not be shown in an issue's -activity feed when the user doesn't have access to :download_code. ---- - app/models/note.rb | 15 ++++- - ...er-related-branches-from-activity-feed.yml | 6 ++ - .../projects/issues_controller_spec.rb | 37 +++++++++++ - spec/models/note_spec.rb | 64 +++++++++++++++++++ - 4 files changed, 121 insertions(+), 1 deletion(-) - create mode 100644 changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml - ---- a/app/models/note.rb -+++ b/app/models/note.rb -@@ -40,6 +40,10 @@ - - redact_field :note - -+ TYPES_RESTRICTED_BY_ABILITY = { -+ branch: :download_code -+ }.freeze -+ - # Aliases to make application_helper#edited_time_ago_with_tooltip helper work properly with notes. - # See https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/10392/diffs#note_28719102 - alias_attribute :last_edited_at, :updated_at -@@ -333,7 +337,7 @@ - end - - def visible_for?(user) -- !cross_reference_not_visible_for?(user) -+ !cross_reference_not_visible_for?(user) && system_note_viewable_by?(user) - end - - def award_emoji? -@@ -485,6 +489,15 @@ - - private - -+ def system_note_viewable_by?(user) -+ return true unless system_note_metadata -+ -+ restriction = TYPES_RESTRICTED_BY_ABILITY[system_note_metadata.action.to_sym] -+ return Ability.allowed?(user, restriction, project) if restriction -+ -+ true -+ end -+ - def keep_around_commit - project.repository.keep_around(self.commit_id) - end ---- /dev/null -+++ b/changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml -@@ -0,0 +1,6 @@ -+--- -+title: Remove notes regarding Related Branches from Issue activity feeds for guest -+ users -+merge_request: -+author: -+type: security ---- a/spec/controllers/projects/issues_controller_spec.rb -+++ b/spec/controllers/projects/issues_controller_spec.rb -@@ -1343,6 +1343,43 @@ - expect { get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid } }.not_to exceed_query_limit(control_count) - end - end -+ -+ context 'private project' do -+ let!(:branch_note) { create(:discussion_note_on_issue, :system, noteable: issue, project: project) } -+ let!(:commit_note) { create(:discussion_note_on_issue, :system, noteable: issue, project: project) } -+ let!(:branch_note_meta) { create(:system_note_metadata, note: branch_note, action: "branch") } -+ let!(:commit_note_meta) { create(:system_note_metadata, note: commit_note, action: "commit") } -+ -+ context 'user is allowed access' do -+ before do -+ project.add_user(user, :maintainer) -+ end -+ -+ it 'displays all available notes' do -+ get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid } -+ -+ expect(json_response.length).to eq(3) -+ end -+ end -+ -+ context 'user is a guest' do -+ let(:json_response_note_ids) do -+ json_response.collect { |discussion| discussion["notes"] }.flatten -+ .collect { |note| note["id"].to_i } -+ end -+ -+ before do -+ project.add_guest(user) -+ end -+ -+ it 'does not display notes w/type listed in TYPES_RESTRICTED_BY_ACCESS_LEVEL' do -+ get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid } -+ -+ expect(json_response.length).to eq(2) -+ expect(json_response_note_ids).not_to include(branch_note.id) -+ end -+ end -+ end - end - end - ---- a/spec/models/note_spec.rb -+++ b/spec/models/note_spec.rb -@@ -246,6 +246,70 @@ - end - end - -+ describe "#visible_for?" do -+ using RSpec::Parameterized::TableSyntax -+ -+ let(:note) { create(:note) } -+ let(:user) { create(:user) } -+ -+ where(:cross_reference_visible, :system_note_viewable, :result) do -+ true | true | false -+ false | true | true -+ false | false | false -+ end -+ -+ with_them do -+ it "returns expected result" do -+ expect(note).to receive(:cross_reference_not_visible_for?).and_return(cross_reference_visible) -+ -+ unless cross_reference_visible -+ expect(note).to receive(:system_note_viewable_by?) -+ .with(user).and_return(system_note_viewable) -+ end -+ -+ expect(note.visible_for?(user)).to eq result -+ end -+ end -+ end -+ -+ describe "#system_note_viewable_by?(user)" do -+ let(:note) { create(:note) } -+ let(:user) { create(:user) } -+ let!(:metadata) { create(:system_note_metadata, note: note, action: "branch") } -+ -+ context "when system_note_metadata is not present" do -+ it "returns true" do -+ expect(note).to receive(:system_note_metadata).and_return(nil) -+ -+ expect(note.send(:system_note_viewable_by?, user)).to be_truthy -+ end -+ end -+ -+ context "system_note_metadata isn't of type 'branch'" do -+ before do -+ metadata.action = "not_a_branch" -+ end -+ -+ it "returns true" do -+ expect(note.send(:system_note_viewable_by?, user)).to be_truthy -+ end -+ end -+ -+ context "user doesn't have :download_code ability" do -+ it "returns false" do -+ expect(note.send(:system_note_viewable_by?, user)).to be_falsey -+ end -+ end -+ -+ context "user has the :download_code ability" do -+ it "returns true" do -+ expect(Ability).to receive(:allowed?).with(user, :download_code, note.project).and_return(true) -+ -+ expect(note.send(:system_note_viewable_by?, user)).to be_truthy -+ end -+ end -+ end -+ - describe "cross_reference_not_visible_for?" do - let(:private_user) { create(:user) } - let(:private_project) { create(:project, namespace: private_user.namespace) { |p| p.add_maintainer(private_user) } } diff --git a/debian/patches/series b/debian/patches/series index 3b0432d47e..11e476f794 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,7 +10,6 @@ 0470-relax-bootsnap.patch 0480-embed-snowplow-tracker.patch 0481-relax-contracts-dependency-of-snowplow.patch -0482-relax-gitlab-labkit.patch 0500-set-webpack-root.patch 0510-remove-dev-dependencies.patch 0520-add-system-lib-path-for-webpack.patch @@ -28,5 +27,3 @@ 0750-fix-relative-paths.patch 0760-bump-rubyzip.patch 0770-bump-node-d3.patch -CVE-2019-19254.patch -CVE-2019-19257.patch