diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-01 18:31:04 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-01 18:31:04 +0000 |
commit | b324ddc843f8ef31618b506e7a4b052b7519c624 (patch) | |
tree | 0e2c2d8fcd8f668a48f53295826b2de2917f6639 | |
parent | d4ba3c22bf2b63e606f87cf87082b7a9aa5e8581 (diff) | |
download | gitlab-ce-b324ddc843f8ef31618b506e7a4b052b7519c624.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-7-stable-ee
-rw-r--r-- | app/finders/notes_finder.rb | 2 | ||||
-rw-r--r-- | lib/api/entities/tag.rb | 8 | ||||
-rw-r--r-- | lib/api/tags.rb | 10 | ||||
-rw-r--r-- | lib/banzai/filter/kroki_filter.rb | 6 | ||||
-rw-r--r-- | spec/finders/notes_finder_spec.rb | 47 | ||||
-rw-r--r-- | spec/finders/snippets_finder_spec.rb | 25 | ||||
-rw-r--r-- | spec/fixtures/api/schemas/public_api/v4/tag.json | 3 | ||||
-rw-r--r-- | spec/lib/banzai/filter/kroki_filter_spec.rb | 7 | ||||
-rw-r--r-- | spec/requests/api/tags_spec.rb | 64 |
9 files changed, 148 insertions, 24 deletions
diff --git a/app/finders/notes_finder.rb b/app/finders/notes_finder.rb index 7890502cf0e..c542ffbce7e 100644 --- a/app/finders/notes_finder.rb +++ b/app/finders/notes_finder.rb @@ -117,7 +117,7 @@ class NotesFinder when "snippet", "project_snippet" SnippetsFinder.new(@current_user, project: @project).execute # rubocop: disable CodeReuse/Finder when "personal_snippet" - PersonalSnippet.all + SnippetsFinder.new(@current_user, only_personal: true).execute # rubocop: disable CodeReuse/Finder else raise "invalid target_type '#{noteable_type}'" end diff --git a/lib/api/entities/tag.rb b/lib/api/entities/tag.rb index 713bae64d5c..5047258dd97 100644 --- a/lib/api/entities/tag.rb +++ b/lib/api/entities/tag.rb @@ -3,6 +3,8 @@ module API module Entities class Tag < Grape::Entity + include RequestAwareEntity + expose :name, documentation: { type: 'string', example: 'v1.0.0' } expose :message, documentation: { type: 'string', example: 'Release v1.0.0' } expose :target, documentation: { type: 'string', example: '2695effb5807a22ff3d138d593fd856244e155e7' } @@ -12,7 +14,7 @@ module API end # rubocop: disable CodeReuse/ActiveRecord - expose :release, using: Entities::TagRelease do |repo_tag, options| + expose :release, using: Entities::TagRelease, if: ->(*) { can_read_release? } do |repo_tag, options| options[:project].releases.find_by(tag: repo_tag.name) end # rubocop: enable CodeReuse/ActiveRecord @@ -20,6 +22,10 @@ module API expose :protected, documentation: { type: 'boolean', example: true } do |repo_tag, options| ::ProtectedTag.protected?(options[:project], repo_tag.name) end + + def can_read_release? + can?(options[:current_user], :read_release, options[:project]) + end end end end diff --git a/lib/api/tags.rb b/lib/api/tags.rb index 4ddf22c726f..f918fb997bf 100644 --- a/lib/api/tags.rb +++ b/lib/api/tags.rb @@ -45,7 +45,13 @@ module API paginated_tags = Gitlab::Pagination::GitalyKeysetPager.new(self, user_project).paginate(tags_finder) - present_cached paginated_tags, with: Entities::Tag, project: user_project, cache_context: -> (_tag) { user_project.cache_key } + present_cached paginated_tags, + with: Entities::Tag, + project: user_project, + current_user: current_user, + cache_context: -> (_tag) do + [user_project.cache_key, can?(current_user, :read_release, user_project)].join(':') + end rescue Gitlab::Git::InvalidPageToken => e unprocessable_entity!(e.message) @@ -68,7 +74,7 @@ module API tag = user_project.repository.find_tag(params[:tag_name]) not_found!('Tag') unless tag - present tag, with: Entities::Tag, project: user_project + present tag, with: Entities::Tag, project: user_project, current_user: current_user end desc 'Create a new repository tag' do diff --git a/lib/banzai/filter/kroki_filter.rb b/lib/banzai/filter/kroki_filter.rb index 26f42c6b194..2b9e2a22c11 100644 --- a/lib/banzai/filter/kroki_filter.rb +++ b/lib/banzai/filter/kroki_filter.rb @@ -9,6 +9,8 @@ module Banzai # HTML that replaces all diagrams supported by Kroki with the corresponding img tags. # If the source content is large then the hidden attribute is added to the img tag. class KrokiFilter < HTML::Pipeline::Filter + include ActionView::Helpers::TagHelper + MAX_CHARACTER_LIMIT = 2000 def call @@ -27,9 +29,11 @@ module Banzai diagram_format = "svg" doc.xpath(xpath).each do |node| diagram_type = node.parent['lang'] || node['lang'] + next unless diagram_selectors.include?(diagram_type) + diagram_src = node.content image_src = create_image_src(diagram_type, diagram_format, diagram_src) - img_tag = Nokogiri::HTML::DocumentFragment.parse(%(<img src="#{image_src}" />)) + img_tag = Nokogiri::HTML::DocumentFragment.parse(content_tag(:img, nil, src: image_src)) img_tag = img_tag.children.first next if img_tag.nil? diff --git a/spec/finders/notes_finder_spec.rb b/spec/finders/notes_finder_spec.rb index 61be90b267a..792a14e3064 100644 --- a/spec/finders/notes_finder_spec.rb +++ b/spec/finders/notes_finder_spec.rb @@ -148,15 +148,6 @@ RSpec.describe NotesFinder do expect(notes.count).to eq(1) end - it 'finds notes on personal snippets' do - note = create(:note_on_personal_snippet) - params = { project: project, target_type: 'personal_snippet', target_id: note.noteable_id } - - notes = described_class.new(user, params).execute - - expect(notes.count).to eq(1) - end - it 'raises an exception for an invalid target_type' do params[:target_type] = 'invalid' expect { described_class.new(user, params).execute }.to raise_error("invalid target_type '#{params[:target_type]}'") @@ -190,6 +181,44 @@ RSpec.describe NotesFinder do expect { described_class.new(user, params).execute }.to raise_error(ActiveRecord::RecordNotFound) end end + + context 'when targeting personal_snippet' do + using RSpec::Parameterized::TableSyntax + + let(:author) { create(:user) } + let(:user) { create(:user, email: 'foo@baz.com') } + let(:admin) { create(:admin) } + + where(:snippet_visibility, :current_user, :access) do + Snippet::PRIVATE | ref(:author) | true + Snippet::PRIVATE | ref(:admin) | true + Snippet::PRIVATE | ref(:user) | false + Snippet::PUBLIC | ref(:author) | true + Snippet::PUBLIC | ref(:user) | true + end + + with_them do + let(:personal_snippet) { create(:personal_snippet, author: author, visibility_level: snippet_visibility) } + let(:note) { create(:note, noteable: personal_snippet) } + let(:params) { { project: project, target_type: 'personal_snippet', target_id: note.noteable.id } } + + subject(:notes) do + described_class.new(current_user, params).execute + end + + before do + allow(admin).to receive(:can_read_all_resources?).and_return(true) + end + + it 'returns the proper access' do + if access + expect(notes.count).to eq(1) + else + expect { notes }.to raise_error(::ActiveRecord::RecordNotFound) + end + end + end + end end context 'for explicit target' do diff --git a/spec/finders/snippets_finder_spec.rb b/spec/finders/snippets_finder_spec.rb index 9c9a04a4df5..48880ec2c1f 100644 --- a/spec/finders/snippets_finder_spec.rb +++ b/spec/finders/snippets_finder_spec.rb @@ -231,22 +231,31 @@ RSpec.describe SnippetsFinder do context 'filter by snippet type' do context 'when filtering by only_personal snippet', :enable_admin_mode do - it 'returns only personal snippet' do + let!(:admin_private_personal_snippet) { create(:personal_snippet, :private, author: admin) } + let(:user_without_snippets) { create :user } + + it 'returns all personal snippets for the admin' do snippets = described_class.new(admin, only_personal: true).execute + expect(snippets).to contain_exactly(admin_private_personal_snippet, + private_personal_snippet, + internal_personal_snippet, + public_personal_snippet) + end + + it 'returns only personal snippets visible by user' do + snippets = described_class.new(user, only_personal: true).execute + expect(snippets).to contain_exactly(private_personal_snippet, internal_personal_snippet, public_personal_snippet) end - end - context 'when filtering by only_project snippet', :enable_admin_mode do - it 'returns only project snippet' do - snippets = described_class.new(admin, only_project: true).execute + it 'returns only internal or public personal snippets for user without snippets' do + snippets = described_class.new(user_without_snippets, only_personal: true).execute - expect(snippets).to contain_exactly(private_project_snippet, - internal_project_snippet, - public_project_snippet) + expect(snippets).to contain_exactly(internal_personal_snippet, + public_personal_snippet) end end end diff --git a/spec/fixtures/api/schemas/public_api/v4/tag.json b/spec/fixtures/api/schemas/public_api/v4/tag.json index bb0190955f0..71e6c0ec035 100644 --- a/spec/fixtures/api/schemas/public_api/v4/tag.json +++ b/spec/fixtures/api/schemas/public_api/v4/tag.json @@ -3,8 +3,7 @@ "required" : [ "name", "message", - "commit", - "release" + "commit" ], "properties" : { "name": { "type": "string" }, diff --git a/spec/lib/banzai/filter/kroki_filter_spec.rb b/spec/lib/banzai/filter/kroki_filter_spec.rb index 3f4f3aafdd6..34e79ed485d 100644 --- a/spec/lib/banzai/filter/kroki_filter_spec.rb +++ b/spec/lib/banzai/filter/kroki_filter_spec.rb @@ -54,4 +54,11 @@ RSpec.describe Banzai::Filter::KrokiFilter do expect(doc.to_s).to start_with '<img src="http://localhost:8000/nomnoml/svg/eNqLDsgsSixJrUmtTHXOL80rsVLwzCupKUrMTNHQtC7IzMlJTE_V0KyJyVNQiE5KTSxKidXVjS5ILCrKL4lFFrSyi07LL81RyM0vLckAysRGjxo8avCowaMGjxo8avCowaMGU8lgAE7mIdc=" hidden="" class="js-render-kroki" data-diagram="nomnoml" data-diagram-src="data:text/plain;base64,W1BpcmF0ZXxleWVDb3VudDog' end + + it 'verifies diagram type to avoid possible XSS' do + stub_application_setting(kroki_enabled: true, kroki_url: "http://localhost:8000") + doc = filter(%(<a><pre lang='f/" onerror=alert(1) onload=alert(1) '><code lang="wavedrom">xss</code></pre></a>)) + + expect(doc.to_s).to eq %(<a><pre lang='f/" onerror=alert(1) onload=alert(1) '><code lang="wavedrom">xss</code></pre></a>) + end end diff --git a/spec/requests/api/tags_spec.rb b/spec/requests/api/tags_spec.rb index b02c7135b7b..ab5e04246e8 100644 --- a/spec/requests/api/tags_spec.rb +++ b/spec/requests/api/tags_spec.rb @@ -111,6 +111,22 @@ RSpec.describe API::Tags, feature_category: :source_code_management do let(:project) { create(:project, :public, :repository) } it_behaves_like 'repository tags' + + context 'and releases are private' do + before do + create(:release, project: project, tag: tag_name) + project.project_feature.update!(releases_access_level: ProjectFeature::PRIVATE) + end + + it 'returns the repository tags without release information' do + get api(route, current_user) + + expect(response).to have_gitlab_http_status(:ok) + expect(response).to match_response_schema('public_api/v4/tags') + expect(response).to include_pagination_headers + expect(json_response.map { |r| r.has_key?('release') }).to all(be_falsey) + end + end end context 'when unauthenticated', 'and project is private' do @@ -251,6 +267,21 @@ RSpec.describe API::Tags, feature_category: :source_code_management do it_behaves_like "cache expired" end + + context 'when user is not allowed to :read_release' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC) + project.project_feature.update!(releases_access_level: ProjectFeature::PRIVATE) + + get api(route, user) # Cache as a user allowed to :read_release + end + + it "isn't cached" do + expect(API::Entities::Tag).to receive(:represent).exactly(3).times + + get api(route, nil) + end + end end context 'when gitaly is unavailable' do @@ -302,6 +333,21 @@ RSpec.describe API::Tags, feature_category: :source_code_management do let(:project) { create(:project, :public, :repository) } it_behaves_like 'repository tag' + + context 'and releases are private' do + before do + create(:release, project: project, tag: tag_name) + project.project_feature.update!(releases_access_level: ProjectFeature::PRIVATE) + end + + it 'returns the repository tags without release information' do + get api(route, current_user) + + expect(response).to have_gitlab_http_status(:ok) + expect(response).to match_response_schema('public_api/v4/tag') + expect(json_response.has_key?('release')).to be_falsey + end + end end context 'when unauthenticated', 'and project is private' do @@ -328,6 +374,24 @@ RSpec.describe API::Tags, feature_category: :source_code_management do let(:request) { get api(route, guest) } end end + + context 'with releases' do + let(:description) { 'Awesome release!' } + + before do + create(:release, project: project, tag: tag_name, description: description) + end + + it 'returns release information' do + get api(route, user) + + expect(response).to have_gitlab_http_status(:ok) + expect(response).to match_response_schema('public_api/v4/tag') + + expect(json_response['message']).to eq(tag_message) + expect(json_response.dig('release', 'description')).to eq(description) + end + end end describe 'POST /projects/:id/repository/tags' do |