Compare commits
10 commits
master
...
stretch-up
| Author | SHA1 | Date | |
|---|---|---|---|
|
4a296f0159 | ||
|
|
9e7c36752c | ||
|
|
cfdebd5834 | ||
|
|
da2943352c | ||
|
|
106fff101e | ||
|
|
216662c34f | ||
|
|
3a35221826 | ||
|
|
c68702ea03 | ||
|
|
0785f111d7 | ||
|
|
08d9b89684 |
11 changed files with 1214 additions and 1 deletions
21
debian/changelog
vendored
21
debian/changelog
vendored
|
|
@ -1,3 +1,24 @@
|
|||
gitlab (8.13.11+dfsg1-8+deb9u3) stretch-security; urgency=high
|
||||
|
||||
* Fix regression in cve-2017-0920.patch (Closes: #900066)
|
||||
(Thanks to kp666)
|
||||
|
||||
-- Pirate Praveen <praveen@debian.org> Sat, 26 May 2018 14:37:57 +0530
|
||||
|
||||
gitlab (8.13.11+dfsg1-8+deb9u2) stretch-security; urgency=medium
|
||||
|
||||
* Fixes CVE-2018-8971 (Closes: #893905)
|
||||
* Fixes CVE-2017-0920 (Closes: #888508)
|
||||
|
||||
-- Pirate Praveen <praveen@debian.org> Tue, 27 Mar 2018 14:38:53 +0530
|
||||
|
||||
gitlab (8.13.11+dfsg1-8+deb9u1) stretch-security; urgency=high
|
||||
|
||||
* Fixes multiple security vulnerabilities (backported from 10.3.4 release)
|
||||
CVE-2017-0916, CVE-2017-0918, CVE-2017-0925, CVE-2017-0926, CVE-2017-3710
|
||||
|
||||
-- Pirate Praveen <praveen@debian.org> Thu, 15 Mar 2018 11:49:26 +0530
|
||||
|
||||
gitlab (8.13.11+dfsg1-8) unstable; urgency=medium
|
||||
|
||||
* Export all variables declared in gitlab-debian.conf from
|
||||
|
|
|
|||
2
debian/control
vendored
2
debian/control
vendored
|
|
@ -47,7 +47,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends}, ruby | ruby-interpreter,
|
|||
ruby-devise (>= 4.2~),
|
||||
ruby-doorkeeper (>= 4.0~),
|
||||
ruby-omniauth (>= 1.3.1~),
|
||||
ruby-omniauth-auth0 (>= 1.4.1~),
|
||||
ruby-omniauth-auth0 (>= 2.0~),
|
||||
ruby-omniauth-azure-oauth2 (>= 0.0.6~),
|
||||
ruby-omniauth-bitbucket (>= 0.0.2~),
|
||||
ruby-omniauth-cas3 (>= 1.1.2~),
|
||||
|
|
|
|||
32
debian/patches/cve-2017-0916.patch
vendored
Normal file
32
debian/patches/cve-2017-0916.patch
vendored
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
--- a/app/models/hooks/web_hook.rb
|
||||
+++ b/app/models/hooks/web_hook.rb
|
||||
@@ -19,6 +19,7 @@
|
||||
default_timeout Gitlab.config.gitlab.webhook_timeout
|
||||
|
||||
validates :url, presence: true, url: true
|
||||
+ validates :token, format: { without: /\n/ }
|
||||
|
||||
def execute(data, hook_name)
|
||||
parsed_url = URI.parse(url)
|
||||
@@ -57,7 +58,7 @@
|
||||
'Content-Type' => 'application/json',
|
||||
'X-Gitlab-Event' => hook_name.singularize.titleize
|
||||
}
|
||||
- headers['X-Gitlab-Token'] = token if token.present?
|
||||
+ headers['X-Gitlab-Token'] = Gitlab::Utils.remove_line_breaks(token) if token.present?
|
||||
headers
|
||||
end
|
||||
end
|
||||
--- a/lib/gitlab/utils.rb
|
||||
+++ b/lib/gitlab/utils.rb
|
||||
@@ -14,6 +14,10 @@
|
||||
str.force_encoding(Encoding::UTF_8)
|
||||
end
|
||||
|
||||
+ def remove_line_breaks(str)
|
||||
+ str.gsub(/\r?\n/, '')
|
||||
+ end
|
||||
+
|
||||
def to_boolean(value)
|
||||
return value if [true, false].include?(value)
|
||||
return true if value =~ /^(true|t|yes|y|1|on)$/i
|
||||
28
debian/patches/cve-2017-0918.patch
vendored
Normal file
28
debian/patches/cve-2017-0918.patch
vendored
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
--- a/lib/gitlab/ci/config/node/validators.rb
|
||||
+++ b/lib/gitlab/ci/config/node/validators.rb
|
||||
@@ -48,10 +48,24 @@
|
||||
include LegacyValidationHelpers
|
||||
|
||||
def validate_each(record, attribute, value)
|
||||
- unless validate_string(value)
|
||||
+ if validate_string(value)
|
||||
+ validate_path(record, attribute, value)
|
||||
+ else
|
||||
record.errors.add(attribute, 'should be a string or symbol')
|
||||
end
|
||||
end
|
||||
+
|
||||
+ private
|
||||
+
|
||||
+ def validate_path(record, attribute, value)
|
||||
+ path = CGI.unescape(value.to_s)
|
||||
+
|
||||
+ if path.include?('/')
|
||||
+ record.errors.add(attribute, 'cannot contain the "/" character')
|
||||
+ elsif path == '.' || path == '..'
|
||||
+ record.errors.add(attribute, 'cannot be "." or ".."')
|
||||
+ end
|
||||
+ end
|
||||
end
|
||||
|
||||
class TypeValidator < ActiveModel::EachValidator
|
||||
72
debian/patches/cve-2017-0920.patch
vendored
Normal file
72
debian/patches/cve-2017-0920.patch
vendored
Normal file
|
|
@ -0,0 +1,72 @@
|
|||
From 523050b6383256072364937bd61054aebca2978b Mon Sep 17 00:00:00 2001
|
||||
From: Sean McGivern <sean@gitlab.com>
|
||||
Date: Fri, 5 Jan 2018 17:55:37 +0000
|
||||
Subject: [PATCH] Merge branch '41567-projectfix' into 'security-10-3'
|
||||
|
||||
check project access on MR create
|
||||
|
||||
See merge request gitlab/gitlabhq!2273
|
||||
|
||||
(cherry picked from commit 1fe2325d6ef2bced4c5e97b57691c894f38b2834)
|
||||
|
||||
43e85f49 check project access on MR create
|
||||
---
|
||||
app/services/merge_requests/create_service.rb | 28 ++++++++++++++++++++++------
|
||||
changelogs/unreleased/projectfix.yml | 6 ++++++
|
||||
spec/features/cycle_analytics_spec.rb | 1 +
|
||||
spec/models/project_services/microsoft_teams_service_spec.rb | 4 ++++
|
||||
spec/requests/api/merge_requests_spec.rb | 26 +++++++++++++++++++-------
|
||||
spec/requests/api/v3/merge_requests_spec.rb | 26 +++++++++++++++++++-------
|
||||
spec/services/merge_requests/create_service_spec.rb | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
spec/support/slack_mattermost_notifications_shared_examples.rb | 1 +
|
||||
8 files changed, 133 insertions(+), 20 deletions(-)
|
||||
create mode 100644 changelogs/unreleased/projectfix.yml
|
||||
|
||||
--- a/app/services/merge_requests/create_service.rb
|
||||
+++ b/app/services/merge_requests/create_service.rb
|
||||
@@ -1,16 +1,12 @@
|
||||
module MergeRequests
|
||||
class CreateService < MergeRequests::BaseService
|
||||
def execute
|
||||
- # @project is used to determine whether the user can set the merge request's
|
||||
- # assignee, milestone and labels. Whether they can depends on their
|
||||
- # permissions on the target project.
|
||||
- source_project = @project
|
||||
- @project = Project.find(params[:target_project_id]) if params[:target_project_id]
|
||||
+ set_projects!
|
||||
|
||||
- params[:target_project_id] ||= source_project.id
|
||||
+ params[:target_project_id] ||= @project.id
|
||||
|
||||
merge_request = MergeRequest.new
|
||||
- merge_request.source_project = source_project
|
||||
+ merge_request.source_project = @source_project
|
||||
merge_request.merge_params['force_remove_source_branch'] = params.delete(:force_remove_source_branch)
|
||||
|
||||
create(merge_request)
|
||||
@@ -22,5 +18,25 @@
|
||||
todo_service.new_merge_request(issuable, current_user)
|
||||
issuable.cache_merge_request_closes_issues!(current_user)
|
||||
end
|
||||
+
|
||||
+ def set_projects!
|
||||
+ # @project is used to determine whether the user can set the merge request's
|
||||
+ # assignee, milestone and labels. Whether they can depends on their
|
||||
+ # permissions on the target project.
|
||||
+ @source_project = @project
|
||||
+ @project = Project.find(params[:target_project_id]) if params[:target_project_id]
|
||||
+
|
||||
+ # make sure that source/target project ids are not in
|
||||
+ # params so it can't be overridden later when updating attributes
|
||||
+ # from params when applying quick actions
|
||||
+ params.delete(:source_project_id)
|
||||
+ params.delete(:target_project_id)
|
||||
+
|
||||
+ unless can?(current_user, :read_project, @source_project) &&
|
||||
+ can?(current_user, :read_project, @project)
|
||||
+
|
||||
+ raise Gitlab::Access::AccessDeniedError
|
||||
+ end
|
||||
+ end
|
||||
end
|
||||
end
|
||||
39
debian/patches/cve-2017-0925.patch
vendored
Normal file
39
debian/patches/cve-2017-0925.patch
vendored
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
--- a/app/models/service.rb
|
||||
+++ b/app/models/service.rb
|
||||
@@ -98,6 +98,11 @@
|
||||
nil
|
||||
end
|
||||
|
||||
+ def api_field_names
|
||||
+ fields.map { |field| field[:name] }
|
||||
+ .reject { |field_name| field_name =~ /(password|token|key)/ }
|
||||
+ end
|
||||
+
|
||||
def global_fields
|
||||
fields
|
||||
end
|
||||
--- a/lib/api/entities.rb
|
||||
+++ b/lib/api/entities.rb
|
||||
@@ -411,10 +411,7 @@
|
||||
expose :tag_push_events, :note_events, :build_events, :pipeline_events
|
||||
# Expose serialized properties
|
||||
expose :properties do |service, options|
|
||||
- field_names = service.fields.
|
||||
- select { |field| options[:include_passwords] || field[:type] != 'password' }.
|
||||
- map { |field| field[:name] }
|
||||
- service.properties.slice(*field_names)
|
||||
+ service.properties.slice(*service.api_field_names)
|
||||
end
|
||||
end
|
||||
|
||||
--- a/lib/api/services.rb
|
||||
+++ b/lib/api/services.rb
|
||||
@@ -56,7 +56,7 @@
|
||||
# GET /project/:id/services/gitlab-ci
|
||||
#
|
||||
get ':id/services/:service_slug' do
|
||||
- present project_service, with: Entities::ProjectService, include_passwords: current_user.is_admin?
|
||||
+ present project_service, with: Entities::ProjectService
|
||||
end
|
||||
end
|
||||
end
|
||||
171
debian/patches/cve-2017-0926.patch
vendored
Normal file
171
debian/patches/cve-2017-0926.patch
vendored
Normal file
|
|
@ -0,0 +1,171 @@
|
|||
From d2536bf5a683098f4077cf644e8344cc7ea8e13a Mon Sep 17 00:00:00 2001
|
||||
From: Robert Speicher <robert@gitlab.com>
|
||||
Date: Tue, 9 Jan 2018 16:47:31 +0000
|
||||
Subject: [PATCH] Merge branch 'jej/fix-disabled-oauth-access-10-3' into 'security-10-3'
|
||||
|
||||
[10.3] Prevent login with disabled OAuth providers
|
||||
|
||||
See merge request gitlab/gitlabhq!2296
|
||||
|
||||
(cherry picked from commit 4936650427ffc88e6ee927aedbb2c724d24b094c)
|
||||
|
||||
a0f9d222 Prevents login with disabled OAuth providers
|
||||
---
|
||||
app/controllers/omniauth_callbacks_controller.rb | 9 +++++++++
|
||||
changelogs/unreleased/jej-fix-disabled-oauth-access.yml | 5 +++++
|
||||
lib/gitlab/o_auth.rb | 6 ++++++
|
||||
lib/gitlab/o_auth/user.rb | 11 ++++++-----
|
||||
spec/controllers/omniauth_callbacks_controller_spec.rb | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
spec/features/oauth_login_spec.rb | 3 +--
|
||||
spec/support/devise_helpers.rb | 15 +++++++++------
|
||||
spec/support/login_helpers.rb | 7 +++++++
|
||||
8 files changed, 118 insertions(+), 13 deletions(-)
|
||||
create mode 100644 changelogs/unreleased/jej-fix-disabled-oauth-access.yml
|
||||
create mode 100644 lib/gitlab/o_auth.rb
|
||||
create mode 100644 spec/controllers/omniauth_callbacks_controller_spec.rb
|
||||
|
||||
--- a/app/controllers/omniauth_callbacks_controller.rb
|
||||
+++ b/app/controllers/omniauth_callbacks_controller.rb
|
||||
@@ -93,6 +93,8 @@
|
||||
|
||||
continue_login_process
|
||||
end
|
||||
+ rescue Gitlab::OAuth::SigninDisabledForProviderError
|
||||
+ handle_disabled_provider
|
||||
rescue Gitlab::OAuth::SignupDisabledError
|
||||
handle_signup_error
|
||||
end
|
||||
@@ -136,6 +138,13 @@
|
||||
@oauth ||= request.env['omniauth.auth']
|
||||
end
|
||||
|
||||
+ def handle_disabled_provider
|
||||
+ label = Gitlab::OAuth::Provider.label_for(oauth['provider'])
|
||||
+ flash[:alert] = "Signing in using #{label} has been disabled"
|
||||
+
|
||||
+ redirect_to new_user_session_path
|
||||
+ end
|
||||
+
|
||||
def log_audit_event(user, options = {})
|
||||
AuditEventService.new(user, user, options).
|
||||
for_authentication.security_event
|
||||
--- /dev/null
|
||||
+++ b/changelogs/unreleased/jej-fix-disabled-oauth-access.yml
|
||||
@@ -0,0 +1,5 @@
|
||||
+---
|
||||
+title: Prevent OAuth login POST requests when a provider has been disabled
|
||||
+merge_request:
|
||||
+author:
|
||||
+type: security
|
||||
--- /dev/null
|
||||
+++ b/lib/gitlab/o_auth.rb
|
||||
@@ -0,0 +1,6 @@
|
||||
+module Gitlab
|
||||
+ module OAuth
|
||||
+ SignupDisabledError = Class.new(StandardError)
|
||||
+ SigninDisabledForProviderError = Class.new(StandardError)
|
||||
+ end
|
||||
+end
|
||||
--- a/lib/gitlab/o_auth/user.rb
|
||||
+++ b/lib/gitlab/o_auth/user.rb
|
||||
@@ -27,7 +27,8 @@
|
||||
end
|
||||
|
||||
def save(provider = 'OAuth')
|
||||
- unauthorized_to_create unless gl_user
|
||||
+ raise SigninDisabledForProviderError if oauth_provider_disabled?
|
||||
+ raise SignupDisabledError unless gl_user
|
||||
|
||||
if needs_blocking?
|
||||
gl_user.save!
|
||||
@@ -181,8 +182,10 @@
|
||||
Gitlab::AppLogger
|
||||
end
|
||||
|
||||
- def unauthorized_to_create
|
||||
- raise SignupDisabledError
|
||||
+ def oauth_provider_disabled?
|
||||
+ Gitlab::CurrentSettings.current_application_settings
|
||||
+ .disabled_oauth_sign_in_sources
|
||||
+ .include?(auth_hash.provider)
|
||||
end
|
||||
end
|
||||
end
|
||||
--- /dev/null
|
||||
+++ b/spec/controllers/omniauth_callbacks_controller_spec.rb
|
||||
@@ -0,0 +1,75 @@
|
||||
+require 'spec_helper'
|
||||
+
|
||||
+describe OmniauthCallbacksController do
|
||||
+ include LoginHelpers
|
||||
+
|
||||
+ let(:user) { create(:omniauth_user, extern_uid: 'my-uid', provider: provider) }
|
||||
+ let(:provider) { :github }
|
||||
+
|
||||
+ before do
|
||||
+ mock_auth_hash(provider.to_s, 'my-uid', user.email)
|
||||
+ stub_omniauth_provider(provider, context: request)
|
||||
+ end
|
||||
+
|
||||
+ it 'allows sign in' do
|
||||
+ post provider
|
||||
+
|
||||
+ expect(request.env['warden']).to be_authenticated
|
||||
+ end
|
||||
+
|
||||
+ shared_context 'sign_up' do
|
||||
+ let(:user) { double(email: 'new@example.com') }
|
||||
+
|
||||
+ before do
|
||||
+ stub_omniauth_setting(block_auto_created_users: false)
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
+ context 'sign up' do
|
||||
+ include_context 'sign_up'
|
||||
+
|
||||
+ it 'is allowed' do
|
||||
+ post provider
|
||||
+
|
||||
+ expect(request.env['warden']).to be_authenticated
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
+ context 'when OAuth is disabled' do
|
||||
+ before do
|
||||
+ stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
|
||||
+ settings = Gitlab::CurrentSettings.current_application_settings
|
||||
+ settings.update(disabled_oauth_sign_in_sources: [provider.to_s])
|
||||
+ end
|
||||
+
|
||||
+ it 'prevents login via POST' do
|
||||
+ post provider
|
||||
+
|
||||
+ expect(request.env['warden']).not_to be_authenticated
|
||||
+ end
|
||||
+
|
||||
+ it 'shows warning when attempting login' do
|
||||
+ post provider
|
||||
+
|
||||
+ expect(response).to redirect_to new_user_session_path
|
||||
+ expect(flash[:alert]).to eq('Signing in using GitHub has been disabled')
|
||||
+ end
|
||||
+
|
||||
+ it 'allows linking the disabled provider' do
|
||||
+ user.identities.destroy_all
|
||||
+ sign_in(user)
|
||||
+
|
||||
+ expect { post provider }.to change { user.reload.identities.count }.by(1)
|
||||
+ end
|
||||
+
|
||||
+ context 'sign up' do
|
||||
+ include_context 'sign_up'
|
||||
+
|
||||
+ it 'is prevented' do
|
||||
+ post provider
|
||||
+
|
||||
+ expect(request.env['warden']).not_to be_authenticated
|
||||
+ end
|
||||
+ end
|
||||
+ end
|
||||
+end
|
||||
128
debian/patches/cve-2017-3710.patch
vendored
Normal file
128
debian/patches/cve-2017-3710.patch
vendored
Normal file
|
|
@ -0,0 +1,128 @@
|
|||
From 056d35cad0e09a59fdf44cb6bd7063f73a970f01 Mon Sep 17 00:00:00 2001
|
||||
From: James Lopez <james@gitlab.com>
|
||||
Date: Mon, 8 Jan 2018 15:42:41 +0000
|
||||
Subject: [PATCH] Merge branch 'fix/import-rce-10-3' into 'security-10-3'
|
||||
|
||||
[10.3] Fix RCE via project import mechanism
|
||||
|
||||
See merge request gitlab/gitlabhq!2294
|
||||
|
||||
(cherry picked from commit dcfec507d6f9ee119d65a832393e7c593af1d3b2)
|
||||
|
||||
86d75812 Fix RCE via project import mechanism
|
||||
---
|
||||
changelogs/unreleased/fix-import-rce.yml | 5 +++++
|
||||
lib/gitlab/import_export/file_importer.rb | 6 +++++-
|
||||
lib/gitlab/import_export/saver.rb | 2 +-
|
||||
lib/gitlab/import_export/shared.rb | 14 +++++++++++++-
|
||||
spec/lib/gitlab/import_export/file_importer_spec.rb | 57 ++++++++++++++++++++++++++++++++++++++++++++-------------
|
||||
5 files changed, 68 insertions(+), 16 deletions(-)
|
||||
create mode 100644 changelogs/unreleased/fix-import-rce.yml
|
||||
|
||||
--- /dev/null
|
||||
+++ b/changelogs/unreleased/fix-import-rce.yml
|
||||
@@ -0,0 +1,5 @@
|
||||
+---
|
||||
+title: Fix RCE via project import mechanism
|
||||
+merge_request:
|
||||
+author:
|
||||
+type: security
|
||||
--- a/lib/gitlab/import_export/file_importer.rb
|
||||
+++ b/lib/gitlab/import_export/file_importer.rb
|
||||
@@ -17,12 +17,16 @@
|
||||
def import
|
||||
mkdir_p(@shared.export_path)
|
||||
|
||||
+ remove_symlinks!
|
||||
+
|
||||
wait_for_archived_file do
|
||||
decompress_archive
|
||||
end
|
||||
rescue => e
|
||||
@shared.error(e)
|
||||
false
|
||||
+ ensure
|
||||
+ remove_symlinks!
|
||||
end
|
||||
|
||||
private
|
||||
@@ -43,7 +47,7 @@
|
||||
|
||||
raise Projects::ImportService::Error.new("Unable to decompress #{@archive_file} into #{@shared.export_path}") unless result
|
||||
|
||||
- remove_symlinks!
|
||||
+ result
|
||||
end
|
||||
|
||||
def remove_symlinks!
|
||||
--- a/lib/gitlab/import_export/saver.rb
|
||||
+++ b/lib/gitlab/import_export/saver.rb
|
||||
@@ -37,7 +37,7 @@
|
||||
end
|
||||
|
||||
def archive_file
|
||||
- @archive_file ||= File.join(@shared.export_path, '..', Gitlab::ImportExport.export_filename(project: @project))
|
||||
+ @archive_file ||= File.join(@shared.archive_path, Gitlab::ImportExport.export_filename(project: @project))
|
||||
end
|
||||
end
|
||||
end
|
||||
--- a/lib/gitlab/import_export/shared.rb
|
||||
+++ b/lib/gitlab/import_export/shared.rb
|
||||
@@ -9,7 +9,11 @@
|
||||
end
|
||||
|
||||
def export_path
|
||||
- @export_path ||= Gitlab::ImportExport.export_path(relative_path: opts[:relative_path])
|
||||
+ @export_path ||= Gitlab::ImportExport.export_path(relative_path: relative_path)
|
||||
+ end
|
||||
+
|
||||
+ def archive_path
|
||||
+ @archive_path ||= Gitlab::ImportExport.export_path(relative_path: relative_archive_path)
|
||||
end
|
||||
|
||||
def error(error)
|
||||
@@ -21,6 +25,14 @@
|
||||
|
||||
private
|
||||
|
||||
+ def relative_path
|
||||
+ File.join(opts[:relative_path], SecureRandom.hex)
|
||||
+ end
|
||||
+
|
||||
+ def relative_archive_path
|
||||
+ File.join(opts[:relative_path], '..')
|
||||
+ end
|
||||
+
|
||||
def error_out(message, caller)
|
||||
Rails.logger.error("Import/Export error raised on #{caller}: #{message}")
|
||||
end
|
||||
--- a/spec/lib/gitlab/import_export/file_importer_spec.rb
|
||||
+++ b/spec/lib/gitlab/import_export/file_importer_spec.rb
|
||||
@@ -11,21 +11,20 @@
|
||||
stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
|
||||
allow_any_instance_of(Gitlab::ImportExport).to receive(:storage_path).and_return(export_path)
|
||||
allow_any_instance_of(Gitlab::ImportExport::CommandLineUtil).to receive(:untar_zxf).and_return(true)
|
||||
-
|
||||
+ allow(SecureRandom).to receive(:hex).and_return('abcd')
|
||||
setup_files
|
||||
-
|
||||
- described_class.import(archive_file: '', shared: shared)
|
||||
end
|
||||
|
||||
after do
|
||||
FileUtils.rm_rf(export_path)
|
||||
end
|
||||
|
||||
- it 'removes symlinks in root folder' do
|
||||
- expect(File.exist?(symlink_file)).to be false
|
||||
- end
|
||||
+ context 'normal run' do
|
||||
+ before do
|
||||
+ described_class.import(archive_file: '', shared: shared)
|
||||
+ end
|
||||
|
||||
- it 'removes symlinks in subfolders' do
|
||||
+ it 'removes symlinks in subfolders' do
|
||||
expect(File.exist?(subfolder_symlink_file)).to be false
|
||||
end
|
||||
|
||||
283
debian/patches/cve-2018-8971.patch
vendored
Normal file
283
debian/patches/cve-2018-8971.patch
vendored
Normal file
|
|
@ -0,0 +1,283 @@
|
|||
From 7fca314680776995b4e6858b55001a4bf56bf17a Mon Sep 17 00:00:00 2001
|
||||
From: James Lopez <james@gitlab.com>
|
||||
Date: Thu, 15 Mar 2018 14:59:21 +0000
|
||||
Subject: [PATCH] Merge branch 'fix/auth0-unsafe-login-10-5' into 'security-10-5'
|
||||
|
||||
[10.5] Fix GitLab Auth0 integration signs in the wrong user
|
||||
|
||||
See merge request gitlab/gitlabhq!2353
|
||||
---
|
||||
Gemfile | 2 +-
|
||||
Gemfile.lock | 6 +++---
|
||||
app/controllers/omniauth_callbacks_controller.rb | 14 ++++++++++++++
|
||||
changelogs/unreleased/fix-auth0-unsafe-login.yml | 5 +++++
|
||||
db/post_migrate/20180220150310_remove_empty_extern_uid_auth0_identities.rb | 25 +++++++++++++++++++++++++
|
||||
doc/integration/auth0.md | 7 ++++---
|
||||
spec/controllers/omniauth_callbacks_controller_spec.rb | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------------------------------
|
||||
spec/migrations/remove_empty_extern_uid_auth0_identities_spec.rb | 22 ++++++++++++++++++++++
|
||||
8 files changed, 134 insertions(+), 50 deletions(-)
|
||||
create mode 100644 changelogs/unreleased/fix-auth0-unsafe-login.yml
|
||||
create mode 100644 db/post_migrate/20180220150310_remove_empty_extern_uid_auth0_identities.rb
|
||||
create mode 100644 spec/migrations/remove_empty_extern_uid_auth0_identities_spec.rb
|
||||
|
||||
--- a/app/controllers/omniauth_callbacks_controller.rb
|
||||
+++ b/app/controllers/omniauth_callbacks_controller.rb
|
||||
@@ -78,6 +78,14 @@
|
||||
handle_omniauth
|
||||
end
|
||||
|
||||
+ def auth0
|
||||
+ if oauth['uid'].blank?
|
||||
+ fail_auth0_login
|
||||
+ else
|
||||
+ handle_omniauth
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
private
|
||||
|
||||
def handle_omniauth
|
||||
@@ -138,6 +146,12 @@
|
||||
@oauth ||= request.env['omniauth.auth']
|
||||
end
|
||||
|
||||
+ def fail_auth0_login
|
||||
+ flash[:alert] = 'Wrong extern UID provided. Make sure Auth0 is configured correctly.'
|
||||
+
|
||||
+ redirect_to new_user_session_path
|
||||
+ end
|
||||
+
|
||||
def handle_disabled_provider
|
||||
label = Gitlab::OAuth::Provider.label_for(oauth['provider'])
|
||||
flash[:alert] = "Signing in using #{label} has been disabled"
|
||||
--- /dev/null
|
||||
+++ b/changelogs/unreleased/fix-auth0-unsafe-login.yml
|
||||
@@ -0,0 +1,5 @@
|
||||
+---
|
||||
+title: Fix GitLab Auth0 integration signing in the wrong user
|
||||
+merge_request:
|
||||
+author:
|
||||
+type: security
|
||||
--- /dev/null
|
||||
+++ b/db/post_migrate/20180220150310_remove_empty_extern_uid_auth0_identities.rb
|
||||
@@ -0,0 +1,25 @@
|
||||
+class RemoveEmptyExternUidAuth0Identities < ActiveRecord::Migration
|
||||
+ include Gitlab::Database::MigrationHelpers
|
||||
+
|
||||
+ DOWNTIME = false
|
||||
+
|
||||
+ disable_ddl_transaction!
|
||||
+
|
||||
+ class Identity < ActiveRecord::Base
|
||||
+ self.table_name = 'identities'
|
||||
+ include EachBatch
|
||||
+ end
|
||||
+
|
||||
+ def up
|
||||
+ broken_auth0_identities.each_batch do |identity|
|
||||
+ identity.delete_all
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
+ def broken_auth0_identities
|
||||
+ Identity.where(provider: 'auth0', extern_uid: [nil, ''])
|
||||
+ end
|
||||
+
|
||||
+ def down
|
||||
+ end
|
||||
+end
|
||||
--- a/doc/integration/auth0.md
|
||||
+++ b/doc/integration/auth0.md
|
||||
@@ -56,7 +56,8 @@
|
||||
"name" => "auth0",
|
||||
"args" => { client_id: 'YOUR_AUTH0_CLIENT_ID'',
|
||||
client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
|
||||
- namespace: 'YOUR_AUTH0_DOMAIN'
|
||||
+ domain: 'YOUR_AUTH0_DOMAIN',
|
||||
+ scope: 'openid profile email'
|
||||
}
|
||||
}
|
||||
]
|
||||
@@ -69,8 +70,8 @@
|
||||
args: {
|
||||
client_id: 'YOUR_AUTH0_CLIENT_ID',
|
||||
client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
|
||||
- namespace: 'YOUR_AUTH0_DOMAIN'
|
||||
- }
|
||||
+ domain: 'YOUR_AUTH0_DOMAIN',
|
||||
+ scope: 'openid profile email' }
|
||||
}
|
||||
```
|
||||
|
||||
--- a/spec/controllers/omniauth_callbacks_controller_spec.rb
|
||||
+++ b/spec/controllers/omniauth_callbacks_controller_spec.rb
|
||||
@@ -3,73 +3,90 @@
|
||||
describe OmniauthCallbacksController do
|
||||
include LoginHelpers
|
||||
|
||||
- let(:user) { create(:omniauth_user, extern_uid: 'my-uid', provider: provider) }
|
||||
- let(:provider) { :github }
|
||||
+ let(:user) { create(:omniauth_user, extern_uid: extern_uid, provider: provider) }
|
||||
|
||||
before do
|
||||
- mock_auth_hash(provider.to_s, 'my-uid', user.email)
|
||||
+ mock_auth_hash(provider.to_s, extern_uid, user.email)
|
||||
stub_omniauth_provider(provider, context: request)
|
||||
end
|
||||
|
||||
- it 'allows sign in' do
|
||||
- post provider
|
||||
+ context 'github' do
|
||||
+ let(:extern_uid) { 'my-uid' }
|
||||
+ let(:provider) { :github }
|
||||
|
||||
- expect(request.env['warden']).to be_authenticated
|
||||
- end
|
||||
+ it 'allows sign in' do
|
||||
+ post provider
|
||||
+
|
||||
+ expect(request.env['warden']).to be_authenticated
|
||||
+ end
|
||||
|
||||
- shared_context 'sign_up' do
|
||||
- let(:user) { double(email: 'new@example.com') }
|
||||
+ shared_context 'sign_up' do
|
||||
+ let(:user) { double(email: 'new@example.com') }
|
||||
|
||||
- before do
|
||||
- stub_omniauth_setting(block_auto_created_users: false)
|
||||
+ before do
|
||||
+ stub_omniauth_setting(block_auto_created_users: false)
|
||||
+ end
|
||||
end
|
||||
- end
|
||||
|
||||
- context 'sign up' do
|
||||
- include_context 'sign_up'
|
||||
+ context 'sign up' do
|
||||
+ include_context 'sign_up'
|
||||
|
||||
- it 'is allowed' do
|
||||
- post provider
|
||||
+ it 'is allowed' do
|
||||
+ post provider
|
||||
|
||||
- expect(request.env['warden']).to be_authenticated
|
||||
+ expect(request.env['warden']).to be_authenticated
|
||||
+ end
|
||||
end
|
||||
- end
|
||||
|
||||
- context 'when OAuth is disabled' do
|
||||
- before do
|
||||
- stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
|
||||
- settings = Gitlab::CurrentSettings.current_application_settings
|
||||
- settings.update(disabled_oauth_sign_in_sources: [provider.to_s])
|
||||
- end
|
||||
+ context 'when OAuth is disabled' do
|
||||
+ before do
|
||||
+ stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
|
||||
+ settings = Gitlab::CurrentSettings.current_application_settings
|
||||
+ settings.update(disabled_oauth_sign_in_sources: [provider.to_s])
|
||||
+ end
|
||||
|
||||
- it 'prevents login via POST' do
|
||||
- post provider
|
||||
+ it 'prevents login via POST' do
|
||||
+ post provider
|
||||
|
||||
- expect(request.env['warden']).not_to be_authenticated
|
||||
- end
|
||||
+ expect(request.env['warden']).not_to be_authenticated
|
||||
+ end
|
||||
|
||||
- it 'shows warning when attempting login' do
|
||||
- post provider
|
||||
+ it 'shows warning when attempting login' do
|
||||
+ post provider
|
||||
|
||||
- expect(response).to redirect_to new_user_session_path
|
||||
- expect(flash[:alert]).to eq('Signing in using GitHub has been disabled')
|
||||
- end
|
||||
+ expect(response).to redirect_to new_user_session_path
|
||||
+ expect(flash[:alert]).to eq('Signing in using GitHub has been disabled')
|
||||
+ end
|
||||
|
||||
- it 'allows linking the disabled provider' do
|
||||
- user.identities.destroy_all
|
||||
- sign_in(user)
|
||||
+ it 'allows linking the disabled provider' do
|
||||
+ user.identities.destroy_all
|
||||
+ sign_in(user)
|
||||
|
||||
- expect { post provider }.to change { user.reload.identities.count }.by(1)
|
||||
- end
|
||||
+ expect { post provider }.to change { user.reload.identities.count }.by(1)
|
||||
+ end
|
||||
|
||||
- context 'sign up' do
|
||||
- include_context 'sign_up'
|
||||
+ context 'sign up' do
|
||||
+ include_context 'sign_up'
|
||||
|
||||
- it 'is prevented' do
|
||||
- post provider
|
||||
+ it 'is prevented' do
|
||||
+ post provider
|
||||
|
||||
- expect(request.env['warden']).not_to be_authenticated
|
||||
+ expect(request.env['warden']).not_to be_authenticated
|
||||
+ end
|
||||
end
|
||||
end
|
||||
end
|
||||
+
|
||||
+ context 'auth0' do
|
||||
+ let(:extern_uid) { '' }
|
||||
+ let(:provider) { :auth0 }
|
||||
+
|
||||
+ it 'does not allow sign in without extern_uid' do
|
||||
+ post 'auth0'
|
||||
+
|
||||
+ expect(request.env['warden']).not_to be_authenticated
|
||||
+ expect(response.status).to eq(302)
|
||||
+ expect(controller).to set_flash[:alert].to('Wrong extern UID provided. Make sure Auth0 is configured correctly.')
|
||||
+ end
|
||||
+ end
|
||||
end
|
||||
--- /dev/null
|
||||
+++ b/spec/migrations/remove_empty_extern_uid_auth0_identities_spec.rb
|
||||
@@ -0,0 +1,22 @@
|
||||
+require 'spec_helper'
|
||||
+require Rails.root.join('db', 'post_migrate', '20180220150310_remove_empty_extern_uid_auth0_identities.rb')
|
||||
+
|
||||
+describe RemoveEmptyExternUidAuth0Identities, :migration do
|
||||
+ let(:identities) { table(:identities) }
|
||||
+
|
||||
+ before do
|
||||
+ identities.create(provider: 'auth0', extern_uid: '')
|
||||
+ identities.create(provider: 'auth0', extern_uid: 'valid')
|
||||
+ identities.create(provider: 'github', extern_uid: '')
|
||||
+
|
||||
+ migrate!
|
||||
+ end
|
||||
+
|
||||
+ it 'leaves the correct auth0 identity' do
|
||||
+ expect(identities.where(provider: 'auth0').pluck(:extern_uid)).to eq(['valid'])
|
||||
+ end
|
||||
+
|
||||
+ it 'leaves the correct github identity' do
|
||||
+ expect(identities.where(provider: 'github').count).to eq(1)
|
||||
+ end
|
||||
+end
|
||||
--- a/Gemfile
|
||||
+++ b/Gemfile
|
||||
@@ -21,7 +21,7 @@
|
||||
gem 'devise', '~> 4.2'
|
||||
gem 'doorkeeper', '~> 4.2'
|
||||
gem 'omniauth', '~> 1.3', '>= 1.3.1'
|
||||
-gem 'omniauth-auth0', '~> 1.4', '>= 1.4.1'
|
||||
+gem 'omniauth-auth0', '~> 2.0'
|
||||
gem 'omniauth-azure-oauth2', '~> 0.0.6'
|
||||
gem 'omniauth-bitbucket', '~> 0.0.2'
|
||||
gem 'omniauth-cas3', '~> 1.1', '>= 1.1.2'
|
||||
431
debian/patches/sec-release-8-13-12.patch
vendored
Normal file
431
debian/patches/sec-release-8-13-12.patch
vendored
Normal file
|
|
@ -0,0 +1,431 @@
|
|||
--- a/app/models/namespace.rb
|
||||
+++ b/app/models/namespace.rb
|
||||
@@ -111,6 +111,8 @@
|
||||
|
||||
Gitlab::UploadsTransfer.new.rename_namespace(path_was, path)
|
||||
|
||||
+ remove_exports!
|
||||
+
|
||||
# If repositories moved successfully we need to
|
||||
# send update instructions to users.
|
||||
# However we cannot allow rollback since we moved namespace dir
|
||||
@@ -174,5 +176,15 @@
|
||||
GitlabShellWorker.perform_in(5.minutes, :rm_namespace, repository_storage_path, new_path)
|
||||
end
|
||||
end
|
||||
+
|
||||
+ remove_exports!
|
||||
+ end
|
||||
+
|
||||
+ def remove_exports!
|
||||
+ Gitlab::Popen.popen(%W(find #{export_path} -not -path #{export_path} -delete))
|
||||
+ end
|
||||
+
|
||||
+ def export_path
|
||||
+ File.join(Gitlab::ImportExport.storage_path, path_was)
|
||||
end
|
||||
end
|
||||
--- a/lib/api/deploy_keys.rb
|
||||
+++ b/lib/api/deploy_keys.rb
|
||||
@@ -100,15 +100,19 @@
|
||||
present key.deploy_key, with: Entities::SSHKey
|
||||
end
|
||||
|
||||
- desc 'Delete existing deploy key of currently authenticated user' do
|
||||
+ desc 'Delete deploy key for a project' do
|
||||
success Key
|
||||
end
|
||||
params do
|
||||
requires :key_id, type: Integer, desc: 'The ID of the deploy key'
|
||||
end
|
||||
delete ":id/#{path}/:key_id" do
|
||||
- key = user_project.deploy_keys.find(params[:key_id])
|
||||
- key.destroy
|
||||
+ key = user_project.deploy_keys_projects.find_by(deploy_key_id: params[:key_id])
|
||||
+ if key
|
||||
+ key.destroy
|
||||
+ else
|
||||
+ not_found!('Deploy Key')
|
||||
+ end
|
||||
end
|
||||
end
|
||||
end
|
||||
--- a/lib/api/helpers.rb
|
||||
+++ b/lib/api/helpers.rb
|
||||
@@ -97,6 +97,12 @@
|
||||
IssuesFinder.new(current_user, project_id: user_project.id).find(id)
|
||||
end
|
||||
|
||||
+ def find_merge_request_with_access(id, access_level = :read_merge_request)
|
||||
+ merge_request = user_project.merge_requests.find(id)
|
||||
+ authorize! access_level, merge_request
|
||||
+ merge_request
|
||||
+ end
|
||||
+
|
||||
def paginate(relation)
|
||||
relation.page(params[:page]).per(params[:per_page].to_i).tap do |data|
|
||||
add_pagination_headers(data)
|
||||
--- a/lib/api/merge_request_diffs.rb
|
||||
+++ b/lib/api/merge_request_diffs.rb
|
||||
@@ -15,10 +15,8 @@
|
||||
end
|
||||
|
||||
get ":id/merge_requests/:merge_request_id/versions" do
|
||||
- merge_request = user_project.merge_requests.
|
||||
- find(params[:merge_request_id])
|
||||
+ merge_request = find_merge_request_with_access(params[:merge_request_id])
|
||||
|
||||
- authorize! :read_merge_request, merge_request
|
||||
present merge_request.merge_request_diffs, with: Entities::MergeRequestDiff
|
||||
end
|
||||
|
||||
@@ -34,10 +32,8 @@
|
||||
end
|
||||
|
||||
get ":id/merge_requests/:merge_request_id/versions/:version_id" do
|
||||
- merge_request = user_project.merge_requests.
|
||||
- find(params[:merge_request_id])
|
||||
+ merge_request = find_merge_request_with_access(params[:merge_request_id])
|
||||
|
||||
- authorize! :read_merge_request, merge_request
|
||||
present merge_request.merge_request_diffs.find(params[:version_id]), with: Entities::MergeRequestDiffFull
|
||||
end
|
||||
end
|
||||
--- a/lib/api/merge_requests.rb
|
||||
+++ b/lib/api/merge_requests.rb
|
||||
@@ -121,9 +121,7 @@
|
||||
# GET /projects/:id/merge_requests/:merge_request_id
|
||||
#
|
||||
get path do
|
||||
- merge_request = user_project.merge_requests.find(params[:merge_request_id])
|
||||
-
|
||||
- authorize! :read_merge_request, merge_request
|
||||
+ merge_request = find_merge_request_with_access(params[:merge_request_id])
|
||||
|
||||
present merge_request, with: Entities::MergeRequest, current_user: current_user
|
||||
end
|
||||
@@ -138,9 +136,8 @@
|
||||
# GET /projects/:id/merge_requests/:merge_request_id/commits
|
||||
#
|
||||
get "#{path}/commits" do
|
||||
- merge_request = user_project.merge_requests.
|
||||
- find(params[:merge_request_id])
|
||||
- authorize! :read_merge_request, merge_request
|
||||
+ merge_request = find_merge_request_with_access(params[:merge_request_id])
|
||||
+
|
||||
present merge_request.commits, with: Entities::RepoCommit
|
||||
end
|
||||
|
||||
@@ -154,9 +151,8 @@
|
||||
# GET /projects/:id/merge_requests/:merge_request_id/changes
|
||||
#
|
||||
get "#{path}/changes" do
|
||||
- merge_request = user_project.merge_requests.
|
||||
- find(params[:merge_request_id])
|
||||
- authorize! :read_merge_request, merge_request
|
||||
+ merge_request = find_merge_request_with_access(params[:merge_request_id])
|
||||
+
|
||||
present merge_request, with: Entities::MergeRequestChanges, current_user: current_user
|
||||
end
|
||||
|
||||
@@ -174,8 +170,7 @@
|
||||
optional :milestone_id, type: Integer, desc: 'The ID of the new milestone'
|
||||
end
|
||||
put path do
|
||||
- merge_request = user_project.merge_requests.find(params[:merge_request_id])
|
||||
- authorize! :update_merge_request, merge_request
|
||||
+ merge_request = find_merge_request_with_access(params.delete(:merge_request_id), :update_merge_request)
|
||||
|
||||
# Ensure source_branch is not specified
|
||||
if params[:source_branch].present?
|
||||
@@ -262,10 +257,7 @@
|
||||
# GET /projects/:id/merge_requests/:merge_request_id/comments
|
||||
#
|
||||
get "#{path}/comments" do
|
||||
- merge_request = user_project.merge_requests.find(params[:merge_request_id])
|
||||
-
|
||||
- authorize! :read_merge_request, merge_request
|
||||
-
|
||||
+ merge_request = find_merge_request_with_access(params[:merge_request_id])
|
||||
present paginate(merge_request.notes.fresh), with: Entities::MRNote
|
||||
end
|
||||
|
||||
@@ -284,9 +276,7 @@
|
||||
post "#{path}/comments" do
|
||||
required_attributes! [:note]
|
||||
|
||||
- merge_request = user_project.merge_requests.find(params[:merge_request_id])
|
||||
-
|
||||
- authorize! :create_note, merge_request
|
||||
+ merge_request = find_merge_request_with_access(params[:merge_request_id], :create_note)
|
||||
|
||||
opts = {
|
||||
note: params[:note],
|
||||
@@ -311,7 +301,7 @@
|
||||
# Examples:
|
||||
# GET /projects/:id/merge_requests/:merge_request_id/closes_issues
|
||||
get "#{path}/closes_issues" do
|
||||
- merge_request = user_project.merge_requests.find(params[:merge_request_id])
|
||||
+ merge_request = find_merge_request_with_access(params[:merge_request_id])
|
||||
issues = ::Kaminari.paginate_array(merge_request.closes_issues(current_user))
|
||||
present paginate(issues), with: issue_entity(user_project), current_user: current_user
|
||||
end
|
||||
--- a/lib/api/notes.rb
|
||||
+++ b/lib/api/notes.rb
|
||||
@@ -74,21 +74,27 @@
|
||||
required_attributes! [:body]
|
||||
|
||||
opts = {
|
||||
- note: params[:body],
|
||||
- noteable_type: noteables_str.classify,
|
||||
- noteable_id: params[noteable_id_str]
|
||||
+ note: params[:body],
|
||||
+ noteable_type: noteables_str.classify,
|
||||
+ noteable_id: params[noteable_id_str]
|
||||
}
|
||||
|
||||
- if params[:created_at] && (current_user.is_admin? || user_project.owner == current_user)
|
||||
- opts[:created_at] = params[:created_at]
|
||||
- end
|
||||
+ noteable = user_project.send(noteables_str.to_sym).find(opts[:noteable_id])
|
||||
+
|
||||
+ if can?(current_user, noteable_read_ability_name(noteable), noteable)
|
||||
+ if params[:created_at] && (current_user.is_admin? || user_project.owner == current_user)
|
||||
+ opts[:created_at] = params[:created_at]
|
||||
+ end
|
||||
|
||||
- note = ::Notes::CreateService.new(user_project, current_user, opts).execute
|
||||
+ note = ::Notes::CreateService.new(user_project, current_user, opts).execute
|
||||
|
||||
- if note.valid?
|
||||
- present note, with: Entities::const_get(note.class.name)
|
||||
+ if note.valid?
|
||||
+ present note, with: Entities::const_get(note.class.name)
|
||||
+ else
|
||||
+ not_found!("Note #{note.errors.messages}")
|
||||
+ end
|
||||
else
|
||||
- not_found!("Note #{note.errors.messages}")
|
||||
+ not_found!("Note")
|
||||
end
|
||||
end
|
||||
|
||||
--- a/lib/api/subscriptions.rb
|
||||
+++ b/lib/api/subscriptions.rb
|
||||
@@ -3,8 +3,8 @@
|
||||
before { authenticate! }
|
||||
|
||||
subscribable_types = {
|
||||
- 'merge_request' => proc { |id| user_project.merge_requests.find(id) },
|
||||
- 'merge_requests' => proc { |id| user_project.merge_requests.find(id) },
|
||||
+ 'merge_request' => proc { |id| find_merge_request_with_access(id, :update_merge_request) },
|
||||
+ 'merge_requests' => proc { |id| find_merge_request_with_access(id, :update_merge_request) },
|
||||
'issues' => proc { |id| find_project_issue(id) },
|
||||
'labels' => proc { |id| find_project_label(id) },
|
||||
}
|
||||
--- a/lib/api/todos.rb
|
||||
+++ b/lib/api/todos.rb
|
||||
@@ -4,7 +4,7 @@
|
||||
before { authenticate! }
|
||||
|
||||
ISSUABLE_TYPES = {
|
||||
- 'merge_requests' => ->(id) { user_project.merge_requests.find(id) },
|
||||
+ 'merge_requests' => ->(id) { find_merge_request_with_access(id) },
|
||||
'issues' => ->(id) { find_project_issue(id) }
|
||||
}
|
||||
|
||||
--- /dev/null
|
||||
+++ b/spec/features/projects/import_export/namespace_export_file_spec.rb
|
||||
@@ -0,0 +1,62 @@
|
||||
+require 'spec_helper'
|
||||
+
|
||||
+feature 'Import/Export - Namespace export file cleanup', feature: true, js: true do
|
||||
+ let(:export_path) { "#{Dir::tmpdir}/import_file_spec" }
|
||||
+ let(:config_hash) { YAML.load_file(Gitlab::ImportExport.config_file).deep_stringify_keys }
|
||||
+
|
||||
+ let(:project) { create(:empty_project) }
|
||||
+
|
||||
+ background do
|
||||
+ allow_any_instance_of(Gitlab::ImportExport).to receive(:storage_path).and_return(export_path)
|
||||
+ end
|
||||
+
|
||||
+ after do
|
||||
+ FileUtils.rm_rf(export_path, secure: true)
|
||||
+ end
|
||||
+
|
||||
+ context 'admin user' do
|
||||
+ before do
|
||||
+ login_as(:admin)
|
||||
+ end
|
||||
+
|
||||
+ context 'moving the namespace' do
|
||||
+ scenario 'removes the export file' do
|
||||
+ setup_export_project
|
||||
+
|
||||
+ old_export_path = project.export_path.dup
|
||||
+
|
||||
+ expect(File).to exist(old_export_path)
|
||||
+
|
||||
+ project.namespace.update(path: 'new_path')
|
||||
+
|
||||
+ expect(File).not_to exist(old_export_path)
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
+ context 'deleting the namespace' do
|
||||
+ scenario 'removes the export file' do
|
||||
+ setup_export_project
|
||||
+
|
||||
+ old_export_path = project.export_path.dup
|
||||
+
|
||||
+ expect(File).to exist(old_export_path)
|
||||
+
|
||||
+ project.namespace.destroy
|
||||
+
|
||||
+ expect(File).not_to exist(old_export_path)
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
+ def setup_export_project
|
||||
+ visit edit_namespace_project_path(project.namespace, project)
|
||||
+
|
||||
+ expect(page).to have_content('Export project')
|
||||
+
|
||||
+ click_link 'Export project'
|
||||
+
|
||||
+ visit edit_namespace_project_path(project.namespace, project)
|
||||
+
|
||||
+ expect(page).to have_content('Download export')
|
||||
+ end
|
||||
+ end
|
||||
+end
|
||||
--- a/spec/models/namespace_spec.rb
|
||||
+++ b/spec/models/namespace_spec.rb
|
||||
@@ -69,6 +69,7 @@
|
||||
new_path = @namespace.path + "_new"
|
||||
allow(@namespace).to receive(:path_was).and_return(@namespace.path)
|
||||
allow(@namespace).to receive(:path).and_return(new_path)
|
||||
+ expect(@namespace).to receive(:remove_exports!)
|
||||
expect(@namespace.move_dir).to be_truthy
|
||||
end
|
||||
|
||||
@@ -91,11 +92,17 @@
|
||||
let!(:project) { create(:project, namespace: namespace) }
|
||||
let!(:path) { File.join(Gitlab.config.repositories.storages.default, namespace.path) }
|
||||
|
||||
- before { namespace.destroy }
|
||||
-
|
||||
it "removes its dirs when deleted" do
|
||||
+ namespace.destroy
|
||||
+
|
||||
expect(File.exist?(path)).to be(false)
|
||||
end
|
||||
+
|
||||
+ it 'removes the exports folder' do
|
||||
+ expect(namespace).to receive(:remove_exports!)
|
||||
+
|
||||
+ namespace.destroy
|
||||
+ end
|
||||
end
|
||||
|
||||
describe '.find_by_path_or_name' do
|
||||
--- a/spec/requests/api/merge_requests_spec.rb
|
||||
+++ b/spec/requests/api/merge_requests_spec.rb
|
||||
@@ -597,6 +597,15 @@
|
||||
expect(json_response.first['title']).to eq(issue.title)
|
||||
expect(json_response.first['id']).to eq(issue.id)
|
||||
end
|
||||
+
|
||||
+ it 'returns 403 if the user has no access to the merge request' do
|
||||
+ guest = create(:user)
|
||||
+ project.team << [guest, :guest]
|
||||
+
|
||||
+ get api("/projects/#{project.id}/merge_requests/#{merge_request.id}/closes_issues", guest)
|
||||
+
|
||||
+ expect(response).to have_http_status(403)
|
||||
+ end
|
||||
end
|
||||
|
||||
describe 'POST :id/merge_requests/:merge_request_id/subscription' do
|
||||
@@ -618,6 +627,15 @@
|
||||
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
+
|
||||
+ it 'returns 403 if user has no access to read code' do
|
||||
+ guest = create(:user)
|
||||
+ project.team << [guest, :guest]
|
||||
+
|
||||
+ post api("/projects/#{project.id}/merge_requests/#{merge_request.id}/subscription", guest)
|
||||
+
|
||||
+ expect(response).to have_http_status(403)
|
||||
+ end
|
||||
end
|
||||
|
||||
describe 'DELETE :id/merge_requests/:merge_request_id/subscription' do
|
||||
@@ -639,6 +657,15 @@
|
||||
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
+
|
||||
+ it 'returns 403 if user has no access to read code' do
|
||||
+ guest = create(:user)
|
||||
+ project.team << [guest, :guest]
|
||||
+
|
||||
+ delete api("/projects/#{project.id}/merge_requests/#{merge_request.id}/subscription", guest)
|
||||
+
|
||||
+ expect(response).to have_http_status(403)
|
||||
+ end
|
||||
end
|
||||
|
||||
def mr_with_later_created_and_updated_at_time
|
||||
--- a/spec/requests/api/notes_spec.rb
|
||||
+++ b/spec/requests/api/notes_spec.rb
|
||||
@@ -253,6 +253,18 @@
|
||||
end
|
||||
end
|
||||
|
||||
+ context 'when user does not have access to read the noteable' do
|
||||
+ it 'responds with 404' do
|
||||
+ project = create(:empty_project, :private) { |p| p.team << [user, :guest] }
|
||||
+ issue = create(:issue, :confidential, project: project)
|
||||
+
|
||||
+ post api("/projects/#{project.id}/issues/#{issue.id}/notes", user),
|
||||
+ body: 'Foo'
|
||||
+
|
||||
+ expect(response).to have_http_status(404)
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
context 'when user does not have access to create noteable' do
|
||||
let(:private_issue) { create(:issue, project: create(:project, :private)) }
|
||||
|
||||
--- a/spec/requests/api/todos_spec.rb
|
||||
+++ b/spec/requests/api/todos_spec.rb
|
||||
@@ -183,12 +183,25 @@
|
||||
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
+
|
||||
+ it 'returns an error if the issuable is not accessible' do
|
||||
+ guest = create(:user)
|
||||
+ project_1.team << [guest, :guest]
|
||||
+
|
||||
+ post api("/projects/#{project_1.id}/#{issuable_type}/#{issuable.id}/todo", guest)
|
||||
+
|
||||
+ if issuable_type == 'merge_requests'
|
||||
+ expect(response).to have_http_status(403)
|
||||
+ else
|
||||
+ expect(response).to have_http_status(404)
|
||||
+ end
|
||||
+ end
|
||||
end
|
||||
|
||||
describe 'POST :id/issuable_type/:issueable_id/todo' do
|
||||
context 'for an issue' do
|
||||
it_behaves_like 'an issuable', 'issues' do
|
||||
- let(:issuable) { create(:issue, author: author_1, project: project_1) }
|
||||
+ let(:issuable) { create(:issue, :confidential, author: author_1, project: project_1) }
|
||||
end
|
||||
end
|
||||
|
||||
8
debian/patches/series
vendored
8
debian/patches/series
vendored
|
|
@ -10,3 +10,11 @@ pid-log-paths.patch
|
|||
0210-use-jquery-ui-rails6.patch
|
||||
0300-git-2-11-support.patch
|
||||
cve-2017-0882.patch
|
||||
sec-release-8-13-12.patch
|
||||
cve-2017-0926.patch
|
||||
cve-2017-3710.patch
|
||||
cve-2017-0918.patch
|
||||
cve-2017-0925.patch
|
||||
cve-2017-0916.patch
|
||||
cve-2018-8971.patch
|
||||
cve-2017-0920.patch
|
||||
|
|
|
|||
Loading…
Reference in a new issue