From ae28033eb9b4d9a61ee7ed0b1cd334292c0cb599 Mon Sep 17 00:00:00 2001 From: Pirate Praveen Date: Sun, 27 Feb 2022 12:50:16 +0530 Subject: [PATCH] New upstream version 14.6.5+ds1 --- .gitlab/ci/global.gitlab-ci.yml | 2 +- CHANGELOG.md | 13 +++ GITALY_SERVER_VERSION | 2 +- VERSION | 2 +- .../javascripts/mirrors/mirror_repos.js | 10 +- .../javascripts/snippets/components/show.vue | 13 ++- .../javascripts/snippets/mixins/snippets.js | 1 + .../queries/snippet/snippet.query.graphql | 1 + .../snippet_blob_content.query.graphql | 1 + .../resolvers/snippets/blobs_resolver.rb | 20 ++-- app/graphql/resolvers/users_resolver.rb | 9 +- .../types/snippets/blob_connection_type.rb | 16 +++ app/graphql/types/snippets/blob_type.rb | 2 + .../encrypted.rb | 46 +++++--- app/models/group.rb | 20 +++- app/models/note.rb | 37 ++++++- app/models/project.rb | 18 ++- app/models/snippet.rb | 10 +- app/services/members/create_service.rb | 13 +++ .../mirrors/_authentication_method.html.haml | 2 +- .../groups_runners_token_prefix.yml | 8 ++ .../projects_runners_token_prefix.yml | 8 ++ config/initializers/action_mailer_hooks.rb | 1 + doc/api/graphql/reference/index.md | 1 + lib/api/users.rb | 6 +- lib/banzai/filter/math_filter.rb | 10 ++ .../hook/validate_addresses_interceptor.rb | 32 ++++++ locale/gitlab.pot | 3 + .../frontend/snippets/components/show_spec.js | 19 +++- .../resolvers/snippets/blobs_resolver_spec.rb | 13 ++- spec/graphql/resolvers/users_resolver_spec.rb | 19 +++- spec/lib/banzai/filter/math_filter_spec.rb | 8 ++ .../validate_addresses_interceptor_spec.rb | 52 +++++++++ .../concerns/token_authenticatable_spec.rb | 103 ++++++++++++++++++ .../encrypted_spec.rb | 45 ++++++++ spec/models/group_spec.rb | 8 ++ spec/models/note_spec.rb | 10 ++ spec/models/project_spec.rb | 12 +- spec/models/snippet_spec.rb | 34 ++++++ spec/requests/api/graphql/users_spec.rb | 24 ++-- spec/requests/api/notes_spec.rb | 10 +- spec/services/members/create_service_spec.rb | 24 +++- .../runners_token_prefix_shared_examples.rb | 35 ++++++ 43 files changed, 652 insertions(+), 71 deletions(-) create mode 100644 app/graphql/types/snippets/blob_connection_type.rb create mode 100644 config/feature_flags/development/groups_runners_token_prefix.yml create mode 100644 config/feature_flags/development/projects_runners_token_prefix.yml create mode 100644 lib/gitlab/email/hook/validate_addresses_interceptor.rb create mode 100644 spec/lib/gitlab/email/hook/validate_addresses_interceptor_spec.rb create mode 100644 spec/support/shared_examples/models/runners_token_prefix_shared_examples.rb diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml index 04883e5680..73e4712cc8 100644 --- a/.gitlab/ci/global.gitlab-ci.yml +++ b/.gitlab/ci/global.gitlab-ci.yml @@ -113,7 +113,7 @@ policy: push .qa-ruby-gems-cache: &qa-ruby-gems-cache - key: "qa-ruby-gems-v1" + key: "qa-ruby-gems-v1-debian-buster" paths: - qa/vendor/ruby/ policy: pull diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c356e303f..39ae46d244 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,19 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 14.6.5 (2022-02-25) + +### Security (8 changes) + +- [Limit commands_changes to certain keys](gitlab-org/security/gitlab@138c437f2819d62ce4750fb84399d8868c844b01) ([merge request](gitlab-org/security/gitlab!2227)) +- [Add runners_token prefix to Group and Project](gitlab-org/security/gitlab@682d4e9b63d3d36901638edc75c1b265460d42dc) ([merge request](gitlab-org/security/gitlab!2250)) +- [Anonymous user can enumerate all users through GraphQL endpoint](gitlab-org/security/gitlab@2b00a8036b291d3ad5de551a5e13c2a0a39d0234) ([merge request](gitlab-org/security/gitlab!2102)) +- [Check for unsafe characters in email addresses before sending](gitlab-org/security/gitlab@6bc653b3dadefb3d2c80823786d43e6b7f8c4620) ([merge request](gitlab-org/security/gitlab!2208)) +- [Warn when snippet contains unretrievable files](gitlab-org/security/gitlab@f9ae9515ec98ab934f4aa3a35af0aca806bbe21d) ([merge request](gitlab-org/security/gitlab!2203)) +- [Prevent DOS when rendering math markdown](gitlab-org/security/gitlab@fd6d496df6f4b5eb3da0b851f9ff8ebb1d68d3f2) ([merge request](gitlab-org/security/gitlab!2201)) +- [Check permission when creating members through service](gitlab-org/security/gitlab@948e5103285de2a6cdb5152ff2c13ae4db2f4cda) ([merge request](gitlab-org/security/gitlab!2211)) +- [Reset password field on page load](gitlab-org/security/gitlab@1417b463f2771a4b17e068dea9de3aa6c4540962) ([merge request](gitlab-org/security/gitlab!2194)) + ## 14.6.4 (2022-02-03) No changes. diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 7d6296b6cb..5ac2cb5708 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -14.6.4 \ No newline at end of file +14.6.5 \ No newline at end of file diff --git a/VERSION b/VERSION index 7d6296b6cb..5ac2cb5708 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -14.6.4 \ No newline at end of file +14.6.5 \ No newline at end of file diff --git a/app/assets/javascripts/mirrors/mirror_repos.js b/app/assets/javascripts/mirrors/mirror_repos.js index e59da18fb7..5bf08be1ea 100644 --- a/app/assets/javascripts/mirrors/mirror_repos.js +++ b/app/assets/javascripts/mirrors/mirror_repos.js @@ -6,6 +6,8 @@ import { __ } from '~/locale'; import { hide } from '~/tooltips'; import SSHMirror from './ssh_mirror'; +const PASSWORD_FIELD_SELECTOR = '.js-mirror-password-field'; + export default class MirrorRepos { constructor(container) { this.$container = $(container); @@ -27,7 +29,6 @@ export default class MirrorRepos { this.$passwordGroup = $('.js-password-group', this.$container); this.$password = $('.js-password', this.$passwordGroup); this.$authMethod = $('.js-auth-method', this.$form); - this.$keepDivergentRefsInput.on('change', () => this.updateKeepDivergentRefs()); this.$authMethod.on('change', () => this.togglePassword()); this.$password.on('input.updateUrl', () => this.debouncedUpdateUrl()); @@ -35,6 +36,13 @@ export default class MirrorRepos { this.initMirrorSSH(); this.updateProtectedBranches(); this.updateKeepDivergentRefs(); + MirrorRepos.resetPasswordField(); + } + + static resetPasswordField() { + if (document.querySelector(PASSWORD_FIELD_SELECTOR)) { + document.querySelector(PASSWORD_FIELD_SELECTOR).value = ''; + } } initMirrorSSH() { diff --git a/app/assets/javascripts/snippets/components/show.vue b/app/assets/javascripts/snippets/components/show.vue index 35d88d5ec8..ee8b00c1f5 100644 --- a/app/assets/javascripts/snippets/components/show.vue +++ b/app/assets/javascripts/snippets/components/show.vue @@ -1,5 +1,5 @@