summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-05-26 13:48:49 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-05-26 13:48:49 +0000
commit51ed9979342b862aa9b60c363c388c6c0daefdf0 (patch)
tree848824f787de3a8edd2e6faef2e6a23490478135
parent0ccebe8234f69119b9b05eb39c98c141c004e715 (diff)
downloadgitlab-ce-51ed9979342b862aa9b60c363c388c6c0daefdf0.tar.gz
Add latest changes from gitlab-org/security/gitlab@12-8-stable-ee
-rw-r--r--changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml5
-rw-r--r--lib/api/repositories.rb4
-rw-r--r--spec/requests/api/repositories_spec.rb6
-rw-r--r--spec/support/shared_examples/uncached_response_shared_examples.rb12
4 files changed, 27 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml b/changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml
new file mode 100644
index 00000000000..1869e6ea039
--- /dev/null
+++ b/changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml
@@ -0,0 +1,5 @@
+---
+title: Disable caching on repo/blobs/[sha]/raw endpoint
+merge_request:
+author:
+type: security
diff --git a/lib/api/repositories.rb b/lib/api/repositories.rb
index 9953d3138f5..df80fae97d6 100644
--- a/lib/api/repositories.rb
+++ b/lib/api/repositories.rb
@@ -6,6 +6,8 @@ module API
class Repositories < Grape::API
include PaginationParams
+ helpers ::API::Helpers::HeadersHelpers
+
before { authorize! :download_code, user_project }
params do
@@ -65,6 +67,8 @@ module API
get ':id/repository/blobs/:sha/raw' do
assign_blob_vars!
+ no_cache_headers
+
send_git_blob @repo, @blob
end
diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb
index cea08aa8767..58aa04c621f 100644
--- a/spec/requests/api/repositories_spec.rb
+++ b/spec/requests/api/repositories_spec.rb
@@ -177,6 +177,12 @@ describe API::Repositories do
expect(headers['Content-Disposition']).to eq 'inline'
end
+ it_behaves_like 'uncached response' do
+ before do
+ get api(route, current_user)
+ end
+ end
+
context 'when sha does not exist' do
it_behaves_like '404 response' do
let(:request) { get api(route.sub(sample_blob.oid, '123456'), current_user) }
diff --git a/spec/support/shared_examples/uncached_response_shared_examples.rb b/spec/support/shared_examples/uncached_response_shared_examples.rb
new file mode 100644
index 00000000000..3997017ff35
--- /dev/null
+++ b/spec/support/shared_examples/uncached_response_shared_examples.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+#
+# Pairs with lib/gitlab/no_cache_headers.rb
+#
+
+RSpec.shared_examples 'uncached response' do
+ it 'defines an uncached header response' do
+ expect(response.headers["Cache-Control"]).to include("no-store", "no-cache")
+ expect(response.headers["Pragma"]).to eq("no-cache")
+ expect(response.headers["Expires"]).to eq("Fri, 01 Jan 1990 00:00:00 GMT")
+ end
+end