Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
0cb369aa
Commit
0cb369aa
authored
Oct 30, 2020
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@13-5-stable-ee
parent
b5e7de21
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
29 additions
and
12 deletions
+29
-12
app/services/terraform/remote_state_handler.rb
app/services/terraform/remote_state_handler.rb
+2
-0
changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml
...curity-fix-terraform-state-exposed-object-storage-url.yml
+5
-0
lib/api/terraform/state.rb
lib/api/terraform/state.rb
+6
-3
spec/requests/api/terraform/state_spec.rb
spec/requests/api/terraform/state_spec.rb
+6
-1
spec/services/terraform/remote_state_handler_spec.rb
spec/services/terraform/remote_state_handler_spec.rb
+10
-8
No files found.
app/services/terraform/remote_state_handler.rb
View file @
0cb369aa
...
...
@@ -23,6 +23,8 @@ module Terraform
state
.
save!
unless
state
.
destroyed?
end
nil
end
def
lock!
...
...
changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml
0 → 100644
View file @
0cb369aa
---
title
:
Do not expose Terraform state record in API
merge_request
:
author
:
type
:
security
lib/api/terraform/state.rb
View file @
0cb369aa
...
...
@@ -39,7 +39,6 @@ module API
env
[
'api.format'
]
=
:binary
# this bypasses json serialization
body
state
.
latest_file
.
read
status
:ok
end
end
...
...
@@ -53,8 +52,10 @@ module API
remote_state_handler
.
handle_with_lock
do
|
state
|
state
.
update_file!
(
CarrierWaveStringFile
.
new
(
data
),
version:
params
[
:serial
])
status
:ok
end
body
false
status
:ok
end
desc
'Delete a terraform state of a certain name'
...
...
@@ -64,8 +65,10 @@ module API
remote_state_handler
.
handle_with_lock
do
|
state
|
state
.
destroy!
status
:ok
end
body
false
status
:ok
end
desc
'Lock a terraform state of a certain name'
...
...
spec/requests/api/terraform/state_spec.rb
View file @
0cb369aa
...
...
@@ -125,6 +125,7 @@ RSpec.describe API::Terraform::State do
expect
{
request
}.
to
change
{
Terraform
::
State
.
count
}.
by
(
0
)
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
Gitlab
::
Json
.
parse
(
response
.
body
)).
to
be_empty
end
context
'on Unicorn'
,
:unicorn
do
...
...
@@ -132,6 +133,7 @@ RSpec.describe API::Terraform::State do
expect
{
request
}.
to
change
{
Terraform
::
State
.
count
}.
by
(
0
)
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
Gitlab
::
Json
.
parse
(
response
.
body
)).
to
be_empty
end
end
end
...
...
@@ -167,6 +169,7 @@ RSpec.describe API::Terraform::State do
expect
{
request
}.
to
change
{
Terraform
::
State
.
count
}.
by
(
1
)
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
Gitlab
::
Json
.
parse
(
response
.
body
)).
to
be_empty
end
context
'on Unicorn'
,
:unicorn
do
...
...
@@ -174,6 +177,7 @@ RSpec.describe API::Terraform::State do
expect
{
request
}.
to
change
{
Terraform
::
State
.
count
}.
by
(
1
)
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
Gitlab
::
Json
.
parse
(
response
.
body
)).
to
be_empty
end
end
end
...
...
@@ -206,10 +210,11 @@ RSpec.describe API::Terraform::State do
context
'with maintainer permissions'
do
let
(
:current_user
)
{
maintainer
}
it
'deletes the state'
do
it
'deletes the state
and returns empty body
'
do
expect
{
request
}.
to
change
{
Terraform
::
State
.
count
}.
by
(
-
1
)
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
Gitlab
::
Json
.
parse
(
response
.
body
)).
to
be_empty
end
end
...
...
spec/services/terraform/remote_state_handler_spec.rb
View file @
0cb369aa
...
...
@@ -42,17 +42,17 @@ RSpec.describe Terraform::RemoteStateHandler do
describe
'#handle_with_lock'
do
it
'allows to modify a state using database locking'
do
state
=
subject
.
handle_with_lock
do
|
state
|
record
=
nil
subject
.
handle_with_lock
do
|
state
|
record
=
state
state
.
name
=
'updated-name'
end
expect
(
state
.
name
).
to
eq
'updated-name'
expect
(
record
.
reload
.
name
).
to
eq
'updated-name'
end
it
'returns the state object itself'
do
state
=
subject
.
handle_with_lock
expect
(
state
.
name
).
to
eq
'my-state'
it
'returns nil'
do
expect
(
subject
.
handle_with_lock
).
to
be_nil
end
end
...
...
@@ -70,11 +70,13 @@ RSpec.describe Terraform::RemoteStateHandler do
it
'handles a locked state using exclusive read lock'
do
handler
.
lock!
state
=
handler
.
handle_with_lock
do
|
state
|
record
=
nil
handler
.
handle_with_lock
do
|
state
|
record
=
state
state
.
name
=
'new-name'
end
expect
(
state
.
name
).
to
eq
'new-name'
expect
(
record
.
reload
.
name
).
to
eq
'new-name'
end
it
'raises exception if lock has not been acquired before'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment