Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
1f588dcb
Commit
1f588dcb
authored
Feb 01, 2021
by
GitLab Release Tools Bot
Browse files
Options
Browse Files
Download
Plain Diff
Merge remote-tracking branch 'dev/13-8-stable' into 13-8-stable
parents
7248f8bf
643958d4
Changes
20
Show whitespace changes
Inline
Side-by-side
Showing
20 changed files
with
274 additions
and
13 deletions
+274
-13
CHANGELOG.md
CHANGELOG.md
+11
-0
GITALY_SERVER_VERSION
GITALY_SERVER_VERSION
+1
-1
VERSION
VERSION
+1
-1
app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
...equest_widget/components/mr_widget_pipeline_container.vue
+2
-1
app/controllers/projects/releases_controller.rb
app/controllers/projects/releases_controller.rb
+3
-0
app/presenters/release_presenter.rb
app/presenters/release_presenter.rb
+2
-0
config/routes.rb
config/routes.rb
+1
-0
config/routes/unmatched_project.rb
config/routes/unmatched_project.rb
+18
-0
lib/gitlab/graphql/query_analyzers/logger_analyzer.rb
lib/gitlab/graphql/query_analyzers/logger_analyzer.rb
+11
-3
lib/gitlab/url_blocker.rb
lib/gitlab/url_blocker.rb
+3
-1
spec/controllers/projects/releases_controller_spec.rb
spec/controllers/projects/releases_controller_spec.rb
+9
-0
spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
...mr_widget/components/mr_widget_pipeline_container_spec.js
+12
-0
spec/lib/gitlab/graphql/query_analyzers/logger_analyzer_spec.rb
...ib/gitlab/graphql/query_analyzers/logger_analyzer_spec.rb
+18
-0
spec/lib/gitlab/url_blocker_spec.rb
spec/lib/gitlab/url_blocker_spec.rb
+15
-0
spec/presenters/release_presenter_spec.rb
spec/presenters/release_presenter_spec.rb
+6
-0
spec/requests/git_http_spec.rb
spec/requests/git_http_spec.rb
+6
-2
spec/routing/git_http_routing_spec.rb
spec/routing/git_http_routing_spec.rb
+21
-0
spec/routing/project_routing_spec.rb
spec/routing/project_routing_spec.rb
+69
-0
spec/support/matchers/route_to_route_not_found_matcher.rb
spec/support/matchers/route_to_route_not_found_matcher.rb
+15
-0
spec/support/shared_examples/routing/git_http_routing_shared_examples.rb
...ared_examples/routing/git_http_routing_shared_examples.rb
+50
-4
No files found.
CHANGELOG.md
View file @
1f588dcb
...
...
@@ -2,6 +2,17 @@
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
entry.
## 13.8.2 (2021-02-01)
### Security (5 changes)
-
Filter sensitive GraphQL variables from logs.
-
Avoid exposing release links when the user cannot read git-tag/repository.
-
Sanitize target branch on MR page.
-
Fix DNS rebinding protection bypass when allowing an IP address in Outbound Requests setting.
-
Add routes for unmatched url for not-get requests.
## 13.8.1 (2021-01-26)
### Fixed (3 changes)
...
...
GITALY_SERVER_VERSION
View file @
1f588dcb
13.8.1
\ No newline at end of file
13.8.2
\ No newline at end of file
VERSION
View file @
1f588dcb
13.8.1
\ No newline at end of file
13.8.2
\ No newline at end of file
app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
View file @
1f588dcb
<
script
>
import
{
isNumber
}
from
'
lodash
'
;
import
{
sanitize
}
from
'
~/lib/dompurify
'
;
import
ArtifactsApp
from
'
./artifacts_list_app.vue
'
;
import
MrWidgetContainer
from
'
./mr_widget_container.vue
'
;
import
MrWidgetPipeline
from
'
./mr_widget_pipeline.vue
'
;
...
...
@@ -40,7 +41,7 @@ export default {
return
this
.
isPostMerge
?
this
.
mr
.
targetBranch
:
this
.
mr
.
sourceBranch
;
},
branchLink
()
{
return
this
.
isPostMerge
?
this
.
mr
.
targetBranch
:
this
.
mr
.
sourceBranchLink
;
return
this
.
isPostMerge
?
sanitize
(
this
.
mr
.
targetBranch
)
:
this
.
mr
.
sourceBranchLink
;
},
deployments
()
{
return
this
.
isPostMerge
?
this
.
mr
.
postMergeDeployments
:
this
.
mr
.
deployments
;
...
...
app/controllers/projects/releases_controller.rb
View file @
1f588dcb
...
...
@@ -5,6 +5,9 @@ class Projects::ReleasesController < Projects::ApplicationController
before_action
:require_non_empty_project
,
except:
[
:index
]
before_action
:release
,
only:
%i[edit show update downloads]
before_action
:authorize_read_release!
# We have to check `download_code` permission because detail URL path
# contains git-tag name.
before_action
:authorize_download_code!
,
except:
[
:index
]
before_action
do
push_frontend_feature_flag
(
:graphql_release_data
,
project
,
default_enabled:
true
)
push_frontend_feature_flag
(
:graphql_milestone_stats
,
project
,
default_enabled:
true
)
...
...
app/presenters/release_presenter.rb
View file @
1f588dcb
...
...
@@ -20,6 +20,8 @@ class ReleasePresenter < Gitlab::View::Presenter::Delegated
end
def
self_url
return
unless
can_download_code?
project_release_url
(
project
,
release
)
end
...
...
config/routes.rb
View file @
1f588dcb
...
...
@@ -275,6 +275,7 @@ Rails.application.routes.draw do
draw
:dashboard
draw
:user
draw
:project
draw
:unmatched_project
# Issue https://gitlab.com/gitlab-org/gitlab/-/issues/210024
scope
as:
'deprecated'
do
...
...
config/routes/unmatched_project.rb
0 → 100644
View file @
1f588dcb
# frozen_string_literal: true
scope
(
path:
'*namespace_id'
,
as: :namespace
,
namespace_id:
Gitlab
::
PathRegex
.
full_namespace_route_regex
)
do
scope
(
path:
':project_id'
,
constraints:
{
project_id:
Gitlab
::
PathRegex
.
project_route_regex
},
as: :project
)
do
post
'*all'
,
to:
'application#route_not_found'
put
'*all'
,
to:
'application#route_not_found'
patch
'*all'
,
to:
'application#route_not_found'
delete
'*all'
,
to:
'application#route_not_found'
post
'/'
,
to:
'application#route_not_found'
put
'/'
,
to:
'application#route_not_found'
patch
'/'
,
to:
'application#route_not_found'
delete
'/'
,
to:
'application#route_not_found'
end
end
lib/gitlab/graphql/query_analyzers/logger_analyzer.rb
View file @
1f588dcb
...
...
@@ -49,11 +49,19 @@ module Gitlab
private
def
process_variables
(
variables
)
if
variables
.
respond_to?
(
:to_s
)
variables
.
to_s
filtered_variables
=
filter_sensitive_variables
(
variables
)
if
filtered_variables
.
respond_to?
(
:to_s
)
filtered_variables
.
to_s
else
variables
filtered_variables
end
end
def
filter_sensitive_variables
(
variables
)
ActiveSupport
::
ParameterFilter
.
new
(
::
Rails
.
application
.
config
.
filter_parameters
)
.
filter
(
variables
)
end
def
duration
(
time_started
)
...
...
lib/gitlab/url_blocker.rb
View file @
1f588dcb
...
...
@@ -49,10 +49,12 @@ module Gitlab
return
[
uri
,
nil
]
unless
address_info
ip_address
=
ip_address
(
address_info
)
return
[
uri
,
nil
]
if
domain_allowed?
(
uri
)
||
ip_allowed?
(
ip_address
,
port:
get_port
(
uri
))
return
[
uri
,
nil
]
if
domain_allowed?
(
uri
)
protected_uri_with_hostname
=
enforce_uri_hostname
(
ip_address
,
uri
,
dns_rebind_protection
)
return
protected_uri_with_hostname
if
ip_allowed?
(
ip_address
,
port:
get_port
(
uri
))
# Allow url from the GitLab instance itself but only for the configured hostname and ports
return
protected_uri_with_hostname
if
internal?
(
uri
)
...
...
spec/controllers/projects/releases_controller_spec.rb
View file @
1f588dcb
...
...
@@ -9,6 +9,7 @@ RSpec.describe Projects::ReleasesController do
let_it_be
(
:private_project
)
{
create
(
:project
,
:repository
,
:private
)
}
let_it_be
(
:developer
)
{
create
(
:user
)
}
let_it_be
(
:reporter
)
{
create
(
:user
)
}
let_it_be
(
:guest
)
{
create
(
:user
)
}
let_it_be
(
:user
)
{
developer
}
let!
(
:release_1
)
{
create
(
:release
,
project:
project
,
released_at:
Time
.
zone
.
parse
(
'2018-10-18'
))
}
let!
(
:release_2
)
{
create
(
:release
,
project:
project
,
released_at:
Time
.
zone
.
parse
(
'2019-10-19'
))
}
...
...
@@ -16,6 +17,7 @@ RSpec.describe Projects::ReleasesController do
before
do
project
.
add_developer
(
developer
)
project
.
add_reporter
(
reporter
)
project
.
add_guest
(
guest
)
end
shared_examples_for
'successful request'
do
...
...
@@ -199,6 +201,13 @@ RSpec.describe Projects::ReleasesController do
it_behaves_like
'not found'
end
context
'when user is a guest'
do
let
(
:project
)
{
private_project
}
let
(
:user
)
{
guest
}
it_behaves_like
'not found'
end
end
# `GET #downloads` is addressed in spec/requests/projects/releases_controller_spec.rb
...
...
spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
View file @
1f588dcb
...
...
@@ -78,6 +78,18 @@ describe('MrWidgetPipelineContainer', () => {
});
});
it
(
'
sanitizes the targetBranch
'
,
()
=>
{
factory
({
isPostMerge
:
true
,
mr
:
{
...
mockStore
,
targetBranch
:
'
Foo<script>alert("XSS")</script>
'
,
},
});
expect
(
wrapper
.
find
(
MrWidgetPipeline
).
props
().
sourceBranchLink
).
toBe
(
'
Foo
'
);
});
it
(
'
renders deployments
'
,
()
=>
{
const
expectedProps
=
mockStore
.
postMergeDeployments
.
map
((
dep
)
=>
expect
.
objectContaining
({
...
...
spec/lib/gitlab/graphql/query_analyzers/logger_analyzer_spec.rb
View file @
1f588dcb
...
...
@@ -40,4 +40,22 @@ RSpec.describe Gitlab::Graphql::QueryAnalyzers::LoggerAnalyzer do
end
end
end
describe
'#initial_value'
do
it
'filters out sensitive variables'
do
doc
=
GraphQL
.
parse
<<-
GRAPHQL
mutation createNote($body: String!) {
createNote(input: {noteableId: "1", body: $body}) {
note {
id
}
}
}
GRAPHQL
query
=
GraphQL
::
Query
.
new
(
GitlabSchema
,
document:
doc
,
context:
{},
variables:
{
body:
"some note"
})
expect
(
subject
.
initial_value
(
query
)[
:variables
]).
to
eq
(
'{:body=>"[FILTERED]"}'
)
end
end
end
spec/lib/gitlab/url_blocker_spec.rb
View file @
1f588dcb
...
...
@@ -91,6 +91,21 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
end
end
context
'DNS rebinding protection with IP allowed'
do
let
(
:import_url
)
{
'http://a.192.168.0.120.3times.127.0.0.1.1time.repeat.rebind.network:9121/scrape?target=unix:///var/opt/gitlab/redis/redis.socket&check-keys=*'
}
before
do
stub_dns
(
import_url
,
ip_address:
'192.168.0.120'
)
allow
(
Gitlab
::
UrlBlockers
::
UrlAllowlist
).
to
receive
(
:ip_allowed?
).
and_return
(
true
)
end
it_behaves_like
'validates URI and hostname'
do
let
(
:expected_uri
)
{
'http://192.168.0.120:9121/scrape?target=unix:///var/opt/gitlab/redis/redis.socket&check-keys=*'
}
let
(
:expected_hostname
)
{
'a.192.168.0.120.3times.127.0.0.1.1time.repeat.rebind.network'
}
end
end
context
'disabled DNS rebinding protection'
do
subject
{
described_class
.
validate!
(
import_url
,
dns_rebind_protection:
false
)
}
...
...
spec/presenters/release_presenter_spec.rb
View file @
1f588dcb
...
...
@@ -62,6 +62,12 @@ RSpec.describe ReleasePresenter do
it
'returns its own url'
do
is_expected
.
to
eq
(
project_release_url
(
project
,
release
))
end
context
'when user is guest'
do
let
(
:user
)
{
guest
}
it
{
is_expected
.
to
be_nil
}
end
end
describe
'#opened_merge_requests_url'
do
...
...
spec/requests/git_http_spec.rb
View file @
1f588dcb
...
...
@@ -159,13 +159,17 @@ RSpec.describe 'Git HTTP requests' do
context
"POST git-upload-pack"
do
it
"fails to find a route"
do
expect
{
clone_post
(
repository_path
)
}.
to
raise_error
(
ActionController
::
RoutingError
)
clone_post
(
repository_path
)
do
|
response
|
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
end
end
context
"POST git-receive-pack"
do
it
"fails to find a route"
do
expect
{
push_post
(
repository_path
)
}.
to
raise_error
(
ActionController
::
RoutingError
)
push_post
(
repository_path
)
do
|
response
|
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
end
end
end
...
...
spec/routing/git_http_routing_spec.rb
View file @
1f588dcb
...
...
@@ -7,6 +7,10 @@ RSpec.describe 'git_http routing' do
it_behaves_like
'git repository routes'
do
let
(
:path
)
{
'/gitlab-org/gitlab-test.git'
}
end
it_behaves_like
'git repository routes with fallback for git-upload-pack'
do
let
(
:path
)
{
'/gitlab-org/gitlab-test.git'
}
end
end
describe
'wiki repositories'
do
...
...
@@ -14,6 +18,7 @@ RSpec.describe 'git_http routing' do
let
(
:path
)
{
'/gitlab-org/gitlab-test.wiki.git'
}
it_behaves_like
'git repository routes'
it_behaves_like
'git repository routes with fallback for git-upload-pack'
describe
'redirects'
,
type: :request
do
let
(
:web_path
)
{
'/gitlab-org/gitlab-test/-/wikis'
}
...
...
@@ -37,12 +42,20 @@ RSpec.describe 'git_http routing' do
it_behaves_like
'git repository routes'
do
let
(
:path
)
{
'/gitlab-org.wiki.git'
}
end
it_behaves_like
'git repository routes with fallback for git-upload-pack'
do
let
(
:path
)
{
'/gitlab-org.wiki.git'
}
end
end
context
'in child group'
do
it_behaves_like
'git repository routes'
do
let
(
:path
)
{
'/gitlab-org/child.wiki.git'
}
end
it_behaves_like
'git repository routes with fallback for git-upload-pack'
do
let
(
:path
)
{
'/gitlab-org/child.wiki.git'
}
end
end
end
...
...
@@ -51,12 +64,20 @@ RSpec.describe 'git_http routing' do
it_behaves_like
'git repository routes'
do
let
(
:path
)
{
'/snippets/123.git'
}
end
it_behaves_like
'git repository routes without fallback'
do
let
(
:path
)
{
'/snippets/123.git'
}
end
end
context
'project snippet'
do
it_behaves_like
'git repository routes'
do
let
(
:path
)
{
'/gitlab-org/gitlab-test/snippets/123.git'
}
end
it_behaves_like
'git repository routes with fallback'
do
let
(
:path
)
{
'/gitlab-org/gitlab-test/snippets/123.git'
}
end
end
end
end
spec/routing/project_routing_spec.rb
View file @
1f588dcb
...
...
@@ -876,4 +876,73 @@ RSpec.describe 'project routing' do
)
end
end
context
'with a non-existent project'
do
it
'routes to 404 with get request'
do
expect
(
get:
"/gitlab/not_exist"
).
to
route_to
(
'application#route_not_found'
,
unmatched_route:
'gitlab/not_exist'
)
end
it
'routes to 404 with delete request'
do
expect
(
delete:
"/gitlab/not_exist"
).
to
route_to
(
'application#route_not_found'
,
namespace_id:
'gitlab'
,
project_id:
'not_exist'
)
end
it
'routes to 404 with post request'
do
expect
(
post:
"/gitlab/not_exist"
).
to
route_to
(
'application#route_not_found'
,
namespace_id:
'gitlab'
,
project_id:
'not_exist'
)
end
it
'routes to 404 with put request'
do
expect
(
put:
"/gitlab/not_exist"
).
to
route_to
(
'application#route_not_found'
,
namespace_id:
'gitlab'
,
project_id:
'not_exist'
)
end
context
'with route to some action'
do
it
'routes to 404 with get request to'
do
expect
(
get:
"/gitlab/not_exist/some_action"
).
to
route_to
(
'application#route_not_found'
,
unmatched_route:
'gitlab/not_exist/some_action'
)
end
it
'routes to 404 with delete request'
do
expect
(
delete:
"/gitlab/not_exist/some_action"
).
to
route_to
(
'application#route_not_found'
,
namespace_id:
'gitlab'
,
project_id:
'not_exist'
,
all:
'some_action'
)
end
it
'routes to 404 with post request'
do
expect
(
post:
"/gitlab/not_exist/some_action"
).
to
route_to
(
'application#route_not_found'
,
namespace_id:
'gitlab'
,
project_id:
'not_exist'
,
all:
'some_action'
)
end
it
'routes to 404 with put request'
do
expect
(
put:
"/gitlab/not_exist/some_action"
).
to
route_to
(
'application#route_not_found'
,
namespace_id:
'gitlab'
,
project_id:
'not_exist'
,
all:
'some_action'
)
end
end
end
end
spec/support/matchers/route_to_route_not_found_matcher.rb
0 → 100644
View file @
1f588dcb
# frozen_string_literal: true
RSpec
::
Matchers
.
define
:route_to_route_not_found
do
match
do
|
actual
|
expect
(
actual
).
to
route_to
(
controller:
'application'
,
action:
'route_not_found'
)
rescue
RSpec
::
Expectations
::
ExpectationNotMetError
=>
e
# `route_to` matcher requires providing all params for exact match. As we use it in shared examples and we provide different paths,
# this matcher checks if provided route matches controller and action, without checking params.
expect
(
e
.
message
).
to
include
(
"-{
\"
controller
\"
=>
\"
application
\"
,
\"
action
\"
=>
\"
route_not_found
\"
}
\n
+{
\"
controller
\"
=>
\"
application
\"
,
\"
action
\"
=>
\"
route_not_found
\"
,"
)
end
failure_message
do
|
_
|
"expected
#{
actual
}
to route to route_not_found"
end
end
spec/support/shared_examples/routing/git_http_routing_shared_examples.rb
View file @
1f588dcb
...
...
@@ -16,10 +16,6 @@ RSpec.shared_examples 'git repository routes' do
expect
(
get
(
"
#{
container_path
}
/info/refs?service=git-upload-pack"
)).
to
redirect_to
(
"
#{
container_path
}
.git/info/refs?service=git-upload-pack"
)
expect
(
get
(
"
#{
container_path
}
/info/refs?service=git-receive-pack"
)).
to
redirect_to
(
"
#{
container_path
}
.git/info/refs?service=git-receive-pack"
)
end
it
'does not redirect other requests'
do
expect
(
post
(
"
#{
container_path
}
/git-upload-pack"
)).
not_to
be_routable
end
end
it
'routes LFS endpoints'
do
...
...
@@ -35,6 +31,56 @@ RSpec.shared_examples 'git repository routes' do
expect
(
get
(
"
#{
path
}
/gitlab-lfs/objects/
#{
oid
}
"
)).
to
route_to
(
'repositories/lfs_storage#download'
,
oid:
oid
,
**
params
)
expect
(
put
(
"
#{
path
}
/gitlab-lfs/objects/
#{
oid
}
/456/authorize"
)).
to
route_to
(
'repositories/lfs_storage#upload_authorize'
,
oid:
oid
,
size:
'456'
,
**
params
)
expect
(
put
(
"
#{
path
}
/gitlab-lfs/objects/
#{
oid
}
/456"
)).
to
route_to
(
'repositories/lfs_storage#upload_finalize'
,
oid:
oid
,
size:
'456'
,
**
params
)
end
end
RSpec
.
shared_examples
'git repository routes without fallback'
do
let
(
:container_path
)
{
path
.
delete_suffix
(
'.git'
)
}
context
'requests without .git format'
do
it
'does not redirect other requests'
do
expect
(
post
(
"
#{
container_path
}
/git-upload-pack"
)).
not_to
be_routable
end
end
it
'routes LFS endpoints for unmatched routes'
do
oid
=
generate
(
:oid
)
expect
(
put
(
"
#{
path
}
/gitlab-lfs/objects/foo"
)).
not_to
be_routable
expect
(
put
(
"
#{
path
}
/gitlab-lfs/objects/
#{
oid
}
/foo"
)).
not_to
be_routable
expect
(
put
(
"
#{
path
}
/gitlab-lfs/objects/
#{
oid
}
/foo/authorize"
)).
not_to
be_routable
end
end
RSpec
.
shared_examples
'git repository routes with fallback'
do
let
(
:container_path
)
{
path
.
delete_suffix
(
'.git'
)
}
context
'requests without .git format'
do
it
'does not redirect other requests'
do
expect
(
post
(
"
#{
container_path
}
/git-upload-pack"
)).
to
route_to_route_not_found
end
end
it
'routes LFS endpoints'
do
oid
=
generate
(
:oid
)
expect
(
put
(
"
#{
path
}
/gitlab-lfs/objects/foo"
)).
to
route_to_route_not_found
expect
(
put
(
"
#{
path
}
/gitlab-lfs/objects/
#{
oid
}
/foo"
)).
to
route_to_route_not_found
expect
(
put
(
"
#{
path
}
/gitlab-lfs/objects/
#{
oid
}
/foo/authorize"
)).
to
route_to_route_not_found
end
end
RSpec
.
shared_examples
'git repository routes with fallback for git-upload-pack'
do
let
(
:container_path
)
{
path
.
delete_suffix
(
'.git'
)
}
context
'requests without .git format'
do
it
'does not redirect other requests'
do
expect
(
post
(
"
#{
container_path
}
/git-upload-pack"
)).
to
route_to_route_not_found
end
end
it
'routes LFS endpoints for unmatched routes'
do
oid
=
generate
(
:oid
)
expect
(
put
(
"
#{
path
}
/gitlab-lfs/objects/foo"
)).
not_to
be_routable
expect
(
put
(
"
#{
path
}
/gitlab-lfs/objects/
#{
oid
}
/foo"
)).
not_to
be_routable
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment