diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 14:12:12 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 14:12:30 +0000 |
commit | e2e6f2f2e9a5a4e84d724864fc4d27a8f1605c64 (patch) | |
tree | fddcd765db7a031c5607e7b4a0d80f8c81a1820e | |
parent | 25344e300eb871a7ce61f734c5e8f47d3e2f3aae (diff) | |
download | gitlab-ce-e2e6f2f2e9a5a4e84d724864fc4d27a8f1605c64.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee
-rw-r--r-- | .rubocop_todo/layout/line_length.yml | 1 | ||||
-rw-r--r-- | app/models/group_group_link.rb | 2 | ||||
-rw-r--r-- | doc/user/group/index.md | 3 | ||||
-rw-r--r-- | lib/gitlab/jira/dvcs.rb | 3 | ||||
-rw-r--r-- | locale/gitlab.pot | 3 | ||||
-rw-r--r-- | spec/requests/jira_routing_spec.rb | 54 |
6 files changed, 48 insertions, 18 deletions
diff --git a/.rubocop_todo/layout/line_length.yml b/.rubocop_todo/layout/line_length.yml index 8a922a1f163..f49d99360a2 100644 --- a/.rubocop_todo/layout/line_length.yml +++ b/.rubocop_todo/layout/line_length.yml @@ -1979,7 +1979,6 @@ Layout/LineLength: - 'ee/spec/features/groups/iterations/user_edits_iteration_spec.rb' - 'ee/spec/features/groups/iterations/user_views_iteration_cadence_spec.rb' - 'ee/spec/features/groups/iterations/user_views_iteration_spec.rb' - - 'ee/spec/features/groups/members/manage_groups_spec.rb' - 'ee/spec/features/groups/members/manage_members_spec.rb' - 'ee/spec/features/groups/members/override_ldap_memberships_spec.rb' - 'ee/spec/features/groups/saml_providers_spec.rb' diff --git a/app/models/group_group_link.rb b/app/models/group_group_link.rb index b0020f097b5..a70110c4076 100644 --- a/app/models/group_group_link.rb +++ b/app/models/group_group_link.rb @@ -41,3 +41,5 @@ class GroupGroupLink < ApplicationRecord Gitlab::Access.human_access(self.group_access) end end + +GroupGroupLink.prepend_mod_with('GroupGroupLink') diff --git a/doc/user/group/index.md b/doc/user/group/index.md index 085cd054c14..4d22bb045d2 100644 --- a/doc/user/group/index.md +++ b/doc/user/group/index.md @@ -640,6 +640,7 @@ To restrict group access by IP address: > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7297) in GitLab 12.2. > - Support for specifying multiple email domains [added](https://gitlab.com/gitlab-org/gitlab/-/issues/33143) in GitLab 13.1. > - Support for restricting access to projects in the group [added](https://gitlab.com/gitlab-org/gitlab/-/issues/14004) in GitLab 14.1.2. +> - Support for restricting group memberships to groups with a subset of the allowed email domains [added](https://gitlab.com/gitlab-org/gitlab/-/issues/354791) in GitLab 15.0.1 You can prevent users with email addresses in specific domains from being added to a group and its projects. @@ -662,6 +663,8 @@ The most popular public email domains cannot be restricted, such as: - `hotmail.com`, `hotmail.co.uk`, `hotmail.fr` - `msn.com`, `live.com`, `outlook.com` +When you share a group, both the source and target namespaces must allow the domains of the members' email addresses. + ## Group file templates **(PREMIUM)** Use group file templates to share a set of templates for common file diff --git a/lib/gitlab/jira/dvcs.rb b/lib/gitlab/jira/dvcs.rb index ddf2cd76709..41a039674b3 100644 --- a/lib/gitlab/jira/dvcs.rb +++ b/lib/gitlab/jira/dvcs.rb @@ -38,7 +38,8 @@ module Gitlab # @param [String] namespace def self.restore_full_path(namespace:, project:) if project.include?(ENCODED_SLASH) - project.gsub(ENCODED_SLASH, SLASH) + # Replace multiple slashes with single ones to make sure the redirect stays on the same host + project.gsub(ENCODED_SLASH, SLASH).gsub(%r{\/{2,}}, '/') else "#{namespace}/#{project}" end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index edad17df272..5ecd033296b 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -20839,6 +20839,9 @@ msgstr "" msgid "Invited" msgstr "" +msgid "Invited group allowed email domains must contain a subset of the allowed email domains of the root ancestor group. Go to the group's 'Settings > General' page and check 'Restrict membership by email domain'." +msgstr "" + msgid "Invocations" msgstr "" diff --git a/spec/requests/jira_routing_spec.rb b/spec/requests/jira_routing_spec.rb index a627eea33a8..e0e170044de 100644 --- a/spec/requests/jira_routing_spec.rb +++ b/spec/requests/jira_routing_spec.rb @@ -25,27 +25,49 @@ RSpec.describe 'Jira referenced paths', type: :request do expect(response).to redirect_to(redirect_path) end - context 'with encoded subgroup path' do - where(:jira_path, :redirect_path) do - '/group/group@sub_group@sub_group_project' | '/group/sub_group/sub_group_project' - '/group@sub_group/group@sub_group@sub_group_project' | '/group/sub_group/sub_group_project' - '/group/group@sub_group@sub_group_project/commit/1234567' | '/group/sub_group/sub_group_project/commit/1234567' - '/group/group@sub_group@sub_group_project/tree/1234567' | '/group/sub_group/sub_group_project/-/tree/1234567' + shared_examples 'redirects to jira path' do + it 'redirects to canonical path with legacy prefix' do + redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path end - with_them do - context 'with legacy prefix' do - it 'redirects to canonical path' do - redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path - end - end - - it 'redirects to canonical path' do - redirects_to_canonical_path jira_path, redirect_path - end + it 'redirects to canonical path' do + redirects_to_canonical_path jira_path, redirect_path end end + let(:jira_path) { '/group/group@sub_group@sub_group_project' } + let(:redirect_path) { '/group/sub_group/sub_group_project' } + + it_behaves_like 'redirects to jira path' + + context 'contains @ before the first /' do + let(:jira_path) { '/group@sub_group/group@sub_group@sub_group_project' } + let(:redirect_path) { '/group/sub_group/sub_group_project' } + + it_behaves_like 'redirects to jira path' + end + + context 'including commit path' do + let(:jira_path) { '/group/group@sub_group@sub_group_project/commit/1234567' } + let(:redirect_path) { '/group/sub_group/sub_group_project/commit/1234567' } + + it_behaves_like 'redirects to jira path' + end + + context 'including tree path' do + let(:jira_path) { '/group/group@sub_group@sub_group_project/tree/1234567' } + let(:redirect_path) { '/group/sub_group/sub_group_project/-/tree/1234567' } + + it_behaves_like 'redirects to jira path' + end + + context 'malicious path' do + let(:jira_path) { '/group/@@malicious.server' } + let(:redirect_path) { '/malicious.server' } + + it_behaves_like 'redirects to jira path' + end + context 'regular paths with legacy prefix' do where(:jira_path, :redirect_path) do '/-/jira/group/group_project' | '/group/group_project' |