Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee

bd200951 · GitLab Bot · 19e2b7fa · bd200951 · bd200951 · bd200951
Commit bd200951 authored Jan 06, 2021 by GitLab Bot
9 changed files
--- a/GITLAB_PAGES_VERSION
+++ b/GITLAB_PAGES_VERSION
-1.32.0
+1.34.0
--- a/changelogs/unreleased/security-package-regex-dos.yml
+++ b/changelogs/unreleased/security-package-regex-dos.yml
+---
+title: Fix regular expression backtracking issue in package name validation
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-pages-1-33.yml
+++ b/changelogs/unreleased/security-pages-1-33.yml
+---
+title: Fix stealing API token from GitLab Pages and DoS Prometheus through GitLab Pages
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-trusted-confidential-apps.yml
+++ b/changelogs/unreleased/security-trusted-confidential-apps.yml
+---
+title: Update trusted OAuth applications to set them as confidential
+merge_request:
+author:
+type: security
--- a/db/migrate/20201222151823_update_trusted_apps_to_confidential.rb
+++ b/db/migrate/20201222151823_update_trusted_apps_to_confidential.rb
+# frozen_string_literal: true
+
+class UpdateTrustedAppsToConfidential < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+  INDEX_NAME = 'tmp_index_oauth_applications_on_id_where_trusted'
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :oauth_applications, :id, where: 'trusted = true', name: INDEX_NAME
+
+    execute('UPDATE oauth_applications SET confidential = true WHERE trusted = true')
+  end
+
+  def down
+    # We won't be able to tell which trusted applications weren't confidential before the migration
+    # and setting all trusted applications are not confidential would introduce security issues
+
+    remove_concurrent_index_by_name :oauth_applications, INDEX_NAME
+  end
+end
--- a/db/schema_migrations/20201222151823
+++ b/db/schema_migrations/20201222151823
+d3af120a74b4c55345ac7fb524395251cd3c1b3cd9685f711196a134f427845c
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -23004,6 +23004,8 @@ CREATE INDEX tmp_build_stage_position_index ON ci_builds USING btree (stage_id,

 CREATE INDEX tmp_index_for_email_unconfirmation_migration ON emails USING btree (id) WHERE (confirmed_at IS NOT NULL);

+CREATE INDEX tmp_index_oauth_applications_on_id_where_trusted ON oauth_applications USING btree (id) WHERE (trusted = true);
+
 CREATE INDEX tmp_index_on_vulnerabilities_non_dismissed ON vulnerabilities USING btree (id) WHERE (state <> 2);

 CREATE UNIQUE INDEX unique_merge_request_metrics_by_merge_request_id ON merge_request_metrics USING btree (merge_request_id);

--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -27,7 +27,18 @@ module Gitlab
      end

      def package_name_regex
-        @package_name_regex ||= %r{\A\@?(([\w\-\.\+]*)\/)*([\w\-\.]+)@?(([\w\-\.\+]*)\/)*([\w\-\.]*)\z}.freeze
+        @package_name_regex ||=
+          %r{
+              \A\@?
+              (?> # atomic group to prevent backtracking
+                (([\w\-\.\+]*)\/)*([\w\-\.]+)
+              )
+              @?
+              (?> # atomic group to prevent backtracking
+                (([\w\-\.\+]*)\/)*([\w\-\.]*)
+              )
+              \z
+            }x.freeze
      end

      def maven_file_name_regex

--- a/spec/lib/gitlab/regex_spec.rb
+++ b/spec/lib/gitlab/regex_spec.rb
@@ -292,6 +292,12 @@ RSpec.describe Gitlab::Regex do
    it { is_expected.not_to match('my package name') }
    it { is_expected.not_to match('!!()()') }
    it { is_expected.not_to match("..\n..\foo") }
+
+    it 'has no backtracking issue' do
+      Timeout.timeout(1) do
+        expect(subject).not_to match("-" * 50000 + ";")
+      end
+    end
  end

  describe '.maven_file_name_regex' do