diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 13:48:49 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 13:48:49 +0000 |
commit | 51ed9979342b862aa9b60c363c388c6c0daefdf0 (patch) | |
tree | 848824f787de3a8edd2e6faef2e6a23490478135 | |
parent | 0ccebe8234f69119b9b05eb39c98c141c004e715 (diff) | |
download | gitlab-ce-51ed9979342b862aa9b60c363c388c6c0daefdf0.tar.gz |
Add latest changes from gitlab-org/security/gitlab@12-8-stable-ee
4 files changed, 27 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml b/changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml new file mode 100644 index 00000000000..1869e6ea039 --- /dev/null +++ b/changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml @@ -0,0 +1,5 @@ +--- +title: Disable caching on repo/blobs/[sha]/raw endpoint +merge_request: +author: +type: security diff --git a/lib/api/repositories.rb b/lib/api/repositories.rb index 9953d3138f5..df80fae97d6 100644 --- a/lib/api/repositories.rb +++ b/lib/api/repositories.rb @@ -6,6 +6,8 @@ module API class Repositories < Grape::API include PaginationParams + helpers ::API::Helpers::HeadersHelpers + before { authorize! :download_code, user_project } params do @@ -65,6 +67,8 @@ module API get ':id/repository/blobs/:sha/raw' do assign_blob_vars! + no_cache_headers + send_git_blob @repo, @blob end diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb index cea08aa8767..58aa04c621f 100644 --- a/spec/requests/api/repositories_spec.rb +++ b/spec/requests/api/repositories_spec.rb @@ -177,6 +177,12 @@ describe API::Repositories do expect(headers['Content-Disposition']).to eq 'inline' end + it_behaves_like 'uncached response' do + before do + get api(route, current_user) + end + end + context 'when sha does not exist' do it_behaves_like '404 response' do let(:request) { get api(route.sub(sample_blob.oid, '123456'), current_user) } diff --git a/spec/support/shared_examples/uncached_response_shared_examples.rb b/spec/support/shared_examples/uncached_response_shared_examples.rb new file mode 100644 index 00000000000..3997017ff35 --- /dev/null +++ b/spec/support/shared_examples/uncached_response_shared_examples.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true +# +# Pairs with lib/gitlab/no_cache_headers.rb +# + +RSpec.shared_examples 'uncached response' do + it 'defines an uncached header response' do + expect(response.headers["Cache-Control"]).to include("no-store", "no-cache") + expect(response.headers["Pragma"]).to eq("no-cache") + expect(response.headers["Expires"]).to eq("Fri, 01 Jan 1990 00:00:00 GMT") + end +end |