Update upstream source from tag 'upstream/13.7.8+ds1'

Update to upstream version '13.7.8+ds1'
with Debian dir dbc4117c60

CHANGELOG.md

@@ -2,6 +2,17 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 13.7.8 (2021-03-04)
+
+### Security (5 changes)
+
+- Bump thrift gem to 0.14.0.
+- Allow only owners to manage group variables.
+- Do not store marshalled sessions ids in Redis.
+- Workhorse: prevent escaped router path traversal.
+- Fix XSS vulnerability for swagger file viewer.
+
+
 ## 13.7.7 (2021-02-11)
 
 ### Security (9 changes)

GITALY_SERVER_VERSION

@@ -1 +1 @@
-13.7.7
+13.7.8

GITLAB_WORKHORSE_VERSION

@@ -1 +1 @@
-8.58.2
+8.58.4

Gemfile

@@ -312,6 +312,9 @@ gem 'premailer-rails', '~> 1.10.3'
 
 # LabKit: Tracing and Correlation
 gem 'gitlab-labkit', '0.13.3'
+# Thrift is a dependency of gitlab-labkit, we want a version higher than 0.14.0
+# because of https://gitlab.com/gitlab-org/gitlab/-/issues/321900
+gem 'thrift', '>= 0.14.0'
 
 # I18n
 gem 'ruby_parser', '~> 3.15', require: false

Gemfile.lock

@@ -1169,7 +1169,7 @@ GEM
       rack (>= 1, < 3)
     thor (0.20.3)
     thread_safe (0.3.6)
-    thrift (0.13.0)
+    thrift (0.14.0)
     tilt (2.0.10)
     timecop (0.9.1)
     timeliness (0.3.10)
@@ -1516,6 +1516,7 @@ DEPENDENCIES
   terser (= 1.0.2)
   test-prof (~> 0.12.0)
   thin (~> 1.7.0)
+  thrift (>= 0.14.0)
   timecop (~> 0.9.1)
   toml-rb (~> 1.0.0)
   truncato (~> 0.7.11)

VERSION

@@ -1 +1 @@
-13.7.7
+13.7.8

app/controllers/groups/variables_controller.rb

@@ -2,7 +2,7 @@
 
 module Groups
   class VariablesController < Groups::ApplicationController
-    before_action :authorize_admin_build!
+    before_action :authorize_admin_group!
 
     skip_cross_project_access_check :show, :update
 

app/controllers/profiles/active_sessions_controller.rb

@@ -8,9 +8,8 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController
   end
 
   def destroy
-    # params[:id] can be either an Rack::Session::SessionId#private_id
+    # params[:id] can be an Rack::Session::SessionId#private_id
-    # or an encrypted Rack::Session::SessionId#public_id
+    ActiveSession.destroy_session(current_user, params[:id])
-    ActiveSession.destroy_with_deprecated_encryption(current_user, params[:id])
     current_user.forget_me!
 
     respond_to do |format|

app/helpers/active_sessions_helper.rb

@@ -24,11 +24,6 @@ module ActiveSessionsHelper
   end
 
   def revoke_session_path(active_session)
-    if active_session.session_private_id
+    profile_active_session_path(active_session.session_private_id)
-      profile_active_session_path(active_session.session_private_id)
-    else
-      # TODO: remove in 13.7
-      profile_active_session_path(active_session.public_id)
-    end
   end
 end

app/models/active_session.rb

@@ -23,13 +23,6 @@ class ActiveSession
     device_type&.titleize
   end
 
-  # This is not the same as Rack::Session::SessionId#public_id, but we
-  # need to preserve this for backwards compatibility.
-  # TODO: remove in 13.7
-  def public_id
-    Gitlab::CryptoHelper.aes256_gcm_encrypt(session_id)
-  end
-
   def self.set(user, request)
     Gitlab::Redis::SharedState.with do |redis|
       session_private_id = request.session.id.private_id
@@ -44,8 +37,6 @@ class ActiveSession
         device_type: client.device_type,
         created_at: user.current_sign_in_at || timestamp,
         updated_at: timestamp,
-        # TODO: remove in 13.7
-        session_id: request.session.id.public_id,
         session_private_id: session_private_id,
         is_impersonated: request.session[:impersonator_id].present?
       )
@@ -61,20 +52,10 @@ class ActiveSession
           lookup_key_name(user.id),
           session_private_id
         )
-
-        # We remove the ActiveSession stored by using public_id to avoid
-        # duplicate entries
-        remove_deprecated_active_sessions_with_public_id(redis, user.id, request.session.id.public_id)
       end
     end
   end
 
-  # TODO: remove in 13.7
-  private_class_method def self.remove_deprecated_active_sessions_with_public_id(redis, user_id, rack_session_public_id)
-    redis.srem(lookup_key_name(user_id), rack_session_public_id)
-    redis.del(key_name(user_id, rack_session_public_id))
-  end
-
   def self.list(user)
     Gitlab::Redis::SharedState.with do |redis|
       cleaned_up_lookup_entries(redis, user).map do |raw_session|
@@ -90,18 +71,6 @@ class ActiveSession
     end
   end
 
-  # TODO: remove in 13.7
-  # After upgrade there might be a duplicate ActiveSessions:
-  # - one with the public_id stored in #session_id
-  # - another with private_id stored in #session_private_id
-  def self.destroy_with_rack_session_id(user, rack_session_id)
-    return unless rack_session_id
-
-    Gitlab::Redis::SharedState.with do |redis|
-      destroy_sessions(redis, user, [rack_session_id.public_id, rack_session_id.private_id])
-    end
-  end
-
   def self.destroy_sessions(redis, user, session_ids)
     key_names = session_ids.map { |session_id| key_name(user.id, session_id) }
 
@@ -113,19 +82,11 @@ class ActiveSession
     end
   end
 
-  # TODO: remove in 13.7
+  def self.destroy_session(user, session_id)
-  # After upgrade, .destroy might be called with the session id encrypted
-  # by .public_id.
-  def self.destroy_with_deprecated_encryption(user, session_id)
     return unless session_id
 
-    decrypted_session_id = decrypt_public_id(session_id)
-    rack_session_private_id = if decrypted_session_id
-                                Rack::Session::SessionId.new(decrypted_session_id).private_id
-                              end
-
     Gitlab::Redis::SharedState.with do |redis|
-      destroy_sessions(redis, user, [session_id, decrypted_session_id, rack_session_private_id].compact)
+      destroy_sessions(redis, user, [session_id].compact)
     end
   end
 
@@ -252,11 +213,4 @@ class ActiveSession
 
     entries.compact
   end
-
-  # TODO: remove in 13.7
-  private_class_method def self.decrypt_public_id(public_id)
-    Gitlab::CryptoHelper.aes256_gcm_decrypt(public_id)
-  rescue
-    nil
-  end
 end

config/initializers/warden.rb

@@ -40,8 +40,7 @@ Rails.application.configure do |config|
     activity = Gitlab::Auth::Activity.new(opts)
     tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)
 
-    # TODO: switch to `auth.request.session.id.private_id` in 13.7
+    ActiveSession.destroy_session(user, auth.request.session.id.private_id) if auth.request.session.id
-    ActiveSession.destroy_with_rack_session_id(user, auth.request.session.id)
     activity.user_session_destroyed!
 
     ##

elasticsearch-rails/.gitignore

@@ -1,17 +1,11 @@
-*.gem
+.DS_Store
-*.rbc
+*.log
-.bundle
+tmp/
-.config
+.idea/*
-.yardoc
+
-Gemfile.lock
+.yardoc/
-InstalledFiles
+_yardoc/
-_yardoc
+coverage/
-coverage
+rdoc/
 doc/
-lib/bundler/man
+Gemfile.lock
-pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp

elasticsearch-rails/.travis.yml

@@ -0,0 +1,66 @@
+# -----------------------------------------------------------------------------
+# Configuration file for http://travis-ci.org/elasticsearch/elasticsearch-rails
+# -----------------------------------------------------------------------------
+
+dist: trusty
+
+sudo: required
+
+language: ruby
+
+services:
+  - mongodb
+
+branches:
+  only:
+    - master
+    - travis
+    - 5.x
+    - 6.x
+    - 2.x
+
+matrix:
+  include:
+    - rvm: 2.2
+      jdk: oraclejdk8
+      env: RAILS_VERSIONS=3.0
+
+    - rvm: 2.3.8
+      jdk: oraclejdk8
+      env: RAILS_VERSIONS=5.0
+
+    - rvm: 2.6.1
+      jdk: oraclejdk8
+      env: RAILS_VERSIONS=4.0,5.0
+
+    - rvm: jruby-9.2.5.0
+      jdk: oraclejdk8
+      env: RAILS_VERSIONS=5.0
+
+env:
+  global:
+    - ELASTICSEARCH_VERSION=6.4.0
+    - QUIET=true
+
+
+before_install:
+  - wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELASTICSEARCH_VERSION}.deb
+  - wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELASTICSEARCH_VERSION}.deb.sha512
+  - shasum -a 512 -c elasticsearch-${ELASTICSEARCH_VERSION}.deb.sha512
+  - sudo dpkg -i --force-confnew elasticsearch-${ELASTICSEARCH_VERSION}.deb
+  - sudo service elasticsearch start
+  - gem update --system
+  - gem update bundler
+  - gem --version
+  - bundle version
+
+install:
+  - bundle install
+  - rake bundle:clean
+  - rake bundle:install
+
+script:
+  - rake test:all
+
+notifications:
+  disable: true