Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee

13 files changed, 119 insertions, 8 deletions

diff --git a/GITLAB_SHELL_VERSION b/GITLAB_SHELL_VERSION
index 04f6473099c..548118b6e78 100644
--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
@@ -1 +1 @@
-13.15.0
+13.15.1
diff --git a/app/controllers/projects/pipelines_controller.rb b/app/controllers/projects/pipelines_controller.rb
index e44c00e501e..ae8b3d9b51d 100644
--- a/app/controllers/projects/pipelines_controller.rb
+++ b/app/controllers/projects/pipelines_controller.rb
@@ -9,6 +9,7 @@ class Projects::PipelinesController < Projects::ApplicationController
   before_action :set_pipeline_path, only: [:show]
   before_action :authorize_read_pipeline!
   before_action :authorize_read_build!, only: [:index]
+  before_action :authorize_read_analytics!, only: [:charts]
   before_action :authorize_create_pipeline!, only: [:new, :create, :config_variables]
   before_action :authorize_update_pipeline!, only: [:retry, :cancel]
   before_action do
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 03cb53f55be..6135523a2f8 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -218,6 +218,7 @@ class ProjectPolicy < BasePolicy
     enable :read_pages_content
     enable :read_release
     enable :read_analytics
+    enable :read_insights
   end
 
   # These abilities are not allowed to admins that are not members of the project,
@@ -447,6 +448,9 @@ class ProjectPolicy < BasePolicy
 
   rule { analytics_disabled }.policy do
     prevent(:read_analytics)
+    prevent(:read_insights)
+    prevent(:read_cycle_analytics)
+    prevent(:read_repository_graphs)
   end
 
   rule { wiki_disabled }.policy do
@@ -520,6 +524,7 @@ class ProjectPolicy < BasePolicy
     enable :read_cycle_analytics
     enable :read_pages_content
     enable :read_analytics
+    enable :read_insights
 
     # NOTE: may be overridden by IssuePolicy
     enable :read_issue
diff --git a/changelogs/unreleased/security-limit-fscanl.yml b/changelogs/unreleased/security-limit-fscanl.yml
new file mode 100644
index 00000000000..92a2000c1b6
--- /dev/null
+++ b/changelogs/unreleased/security-limit-fscanl.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent Denial of Service Attack on gitlab-shell
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-respect-analytics-enabled-rule-for-project-level-analytics-featu.yml b/changelogs/unreleased/security-respect-analytics-enabled-rule-for-project-level-analytics-featu.yml
new file mode 100644
index 00000000000..46373d314fd
--- /dev/null
+++ b/changelogs/unreleased/security-respect-analytics-enabled-rule-for-project-level-analytics-featu.yml
@@ -0,0 +1,5 @@
+---
+title: Enforce the analytics enabled project setting for project-level analytics features
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-ssl-verification-ftc.yml b/changelogs/unreleased/security-ssl-verification-ftc.yml
new file mode 100644
index 00000000000..b87d40124d0
--- /dev/null
+++ b/changelogs/unreleased/security-ssl-verification-ftc.yml
@@ -0,0 +1,5 @@
+---
+title: Perform SSL verification for FortiTokenCloud Integration
+merge_request:
+author:
+type: security
diff --git a/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb b/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb
index d7506eca242..079d631e22a 100644
--- a/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb
+++ b/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb
@@ -61,8 +61,7 @@ module Gitlab
               headers: {
                 'Content-Type': 'application/json'
               }.merge(headers),
-              body: body,
-              verify: false # FTC API Docs specifically mentions to turn off SSL Verification while making requests.
+              body: body
             )
           end
         end
diff --git a/spec/factories/projects.rb b/spec/factories/projects.rb
index f5e496080c4..54a5dea49bb 100644
--- a/spec/factories/projects.rb
+++ b/spec/factories/projects.rb
@@ -28,6 +28,7 @@ FactoryBot.define do
       forking_access_level { ProjectFeature::ENABLED }
       merge_requests_access_level { ProjectFeature::ENABLED }
       repository_access_level { ProjectFeature::ENABLED }
+      analytics_access_level { ProjectFeature::ENABLED }
       pages_access_level do
         visibility_level == Gitlab::VisibilityLevel::PUBLIC ? ProjectFeature::ENABLED : ProjectFeature::PRIVATE
       end
@@ -63,7 +64,8 @@ FactoryBot.define do
         repository_access_level: evaluator.repository_access_level,
         pages_access_level: evaluator.pages_access_level,
         metrics_dashboard_access_level: evaluator.metrics_dashboard_access_level,
-        operations_access_level: evaluator.operations_access_level
+        operations_access_level: evaluator.operations_access_level,
+        analytics_access_level: evaluator.analytics_access_level
       }
 
       project.build_project_feature(hash)
@@ -335,6 +337,9 @@ FactoryBot.define do
     trait(:operations_enabled)           { operations_access_level { ProjectFeature::ENABLED } }
     trait(:operations_disabled)          { operations_access_level { ProjectFeature::DISABLED } }
     trait(:operations_private)           { operations_access_level { ProjectFeature::PRIVATE } }
+    trait(:analytics_enabled)           { analytics_access_level { ProjectFeature::ENABLED } }
+    trait(:analytics_disabled)          { analytics_access_level { ProjectFeature::DISABLED } }
+    trait(:analytics_private)           { analytics_access_level { ProjectFeature::PRIVATE } }
 
     trait :auto_devops do
       association :auto_devops, factory: :project_auto_devops
diff --git a/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb b/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb
index 1580fc82279..368cf98dfec 100644
--- a/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb
+++ b/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb
@@ -13,6 +13,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
   let(:otp_verification_url) { url + '/auth' }
   let(:access_token) { 'an_access_token' }
   let(:access_token_create_response_body) { '' }
+  let(:access_token_request_body) { { client_id: client_id, client_secret: client_secret } }
+  let(:headers) { { 'Content-Type': 'application/json' } }
 
   subject(:validate) { described_class.new(user).validate(otp_code) }
 
@@ -27,11 +29,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
       client_secret: client_secret
     )
 
-    access_token_request_body = { client_id: client_id,
-                                  client_secret: client_secret }
-
     stub_request(:post, access_token_create_url)
-      .with(body: JSON(access_token_request_body), headers: { 'Content-Type' => 'application/json' })
+      .with(body: JSON(access_token_request_body), headers: headers)
       .to_return(
         status: access_token_create_response_status,
         body: Gitlab::Json.generate(access_token_create_response_body),
@@ -81,6 +80,20 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
     end
   end
 
+  context 'SSL Verification' do
+    let(:access_token_create_response_status) { 400 }
+
+    context 'with `Gitlab::HTTP`' do
+      it 'does not use a `verify` argument,'\
+         'thereby always performing SSL verification while making API calls' do
+        expect(Gitlab::HTTP).to receive(:post)
+          .with(access_token_create_url, body: JSON(access_token_request_body), headers: headers).and_call_original
+
+        validate
+      end
+    end
+  end
+
   def stub_forti_token_cloud_config(forti_token_cloud_settings)
     allow(::Gitlab.config.forti_token_cloud).to(receive_messages(forti_token_cloud_settings))
   end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index e6650549f7f..8bd4a463f87 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -992,6 +992,78 @@ RSpec.describe ProjectPolicy do
       it { is_expected.to be_allowed(:read_analytics) }
     end
 
+    context 'with various analytics features' do
+      let_it_be(:project_with_analytics_disabled) { create(:project, :analytics_disabled) }
+      let_it_be(:project_with_analytics_private) { create(:project, :analytics_private) }
+      let_it_be(:project_with_analytics_enabled) { create(:project, :analytics_enabled) }
+
+      before do
+        project_with_analytics_disabled.add_developer(developer)
+        project_with_analytics_private.add_developer(developer)
+        project_with_analytics_enabled.add_developer(developer)
+      end
+
+      context 'when analytics is enabled for the project' do
+        let(:project) { project_with_analytics_disabled }
+
+        context 'for guest user' do
+          let(:current_user) { guest }
+
+          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_disallowed(:read_repository_graphs) }
+        end
+
+        context 'for developer' do
+          let(:current_user) { developer }
+
+          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_disallowed(:read_repository_graphs) }
+        end
+      end
+
+      context 'when analytics is private for the project' do
+        let(:project) { project_with_analytics_private }
+
+        context 'for guest user' do
+          let(:current_user) { guest }
+
+          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_disallowed(:read_repository_graphs) }
+        end
+
+        context 'for developer' do
+          let(:current_user) { developer }
+
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_repository_graphs) }
+        end
+      end
+
+      context 'when analytics is enabled for the project' do
+        let(:project) { project_with_analytics_private }
+
+        context 'for guest user' do
+          let(:current_user) { guest }
+
+          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_disallowed(:read_repository_graphs) }
+        end
+
+        context 'for developer' do
+          let(:current_user) { developer }
+
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_repository_graphs) }
+        end
+      end
+    end
+
     context 'project member' do
       let(:project) { private_project }
 
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index e3eb3649a1a..8a4a7880ab4 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -886,6 +886,7 @@ RSpec.describe API::Projects do
         merge_method: 'ff'
       }).tap do |attrs|
         attrs[:operations_access_level] = 'disabled'
+        attrs[:analytics_access_level] = 'disabled'
       end
 
       post api('/projects', user), params: project
diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore
index 259148fa18f..259148fa18f 100644..100755
--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore
index a1c2a238a96..a1c2a238a96 100644..100755
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore