Merge branch 'security-bump-rails-version-11-6' into 'security-11-6'

[11.6] Bump Rails version to 5.0.7.1 See merge request gitlab/gitlabhq!2797 (cherry picked from commit 3a5dd09effda664888b25c935142b5c8fc23c304) f705c816 Bump Ruby on Rails version to 5.0.7.1
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-01-24 12:49:58 +0000
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-01-24 12:50:01 +0000
commit: 52a93abb838105fb6eb4cb130161d7db2bb6f9c6 (patch)
tree: 92e4cf0fefdbd4971cde9017506b858a6d0c21d9
parent: 26faee772e6956c3949ee227fe1fbb81a90c6a30 (diff)
download: gitlab-ce-52a93abb838105fb6eb4cb130161d7db2bb6f9c6.tar.gz
7 files changed, 88 insertions, 56 deletions
diff --git a/Gemfile b/Gemfile
index 6912b8f53a8..fbdbc4034cd 100644
--- a/Gemfile
+++ b/Gemfile
@@ -4,9 +4,9 @@ def rails5?
 end
 
 gem_versions = {}
-gem_versions['activerecord_sane_schema_dumper'] = rails5? ? '1.0'    : '0.2'
-gem_versions['rails']                           = rails5? ? '5.0.7'  : '4.2.11'
-gem_versions['rails-i18n']                      = rails5? ? '~> 5.1' : '~> 4.0.9'
+gem_versions['activerecord_sane_schema_dumper'] = rails5? ? '1.0'     : '0.2'
+gem_versions['rails']                           = rails5? ? '5.0.7.1' : '4.2.11'
+gem_versions['rails-i18n']                      = rails5? ? '~> 5.1'  : '~> 4.0.9'
 
 # The 2.0.6 version of rack requires monkeypatch to be present in
 # `config.ru`. This can be removed once a new update for Rack
diff --git a/Gemfile.lock b/Gemfile.lock
index b4532efe30e..526c5aa9bf9 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -4,41 +4,41 @@ GEM
     RedCloth (4.3.2)
     abstract_type (0.0.7)
     ace-rails-ap (4.1.2)
-    actioncable (5.0.7)
-      actionpack (= 5.0.7)
+    actioncable (5.0.7.1)
+      actionpack (= 5.0.7.1)
       nio4r (>= 1.2, < 3.0)
       websocket-driver (~> 0.6.1)
-    actionmailer (5.0.7)
-      actionpack (= 5.0.7)
-      actionview (= 5.0.7)
-      activejob (= 5.0.7)
+    actionmailer (5.0.7.1)
+      actionpack (= 5.0.7.1)
+      actionview (= 5.0.7.1)
+      activejob (= 5.0.7.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.0.7)
-      actionview (= 5.0.7)
-      activesupport (= 5.0.7)
+    actionpack (5.0.7.1)
+      actionview (= 5.0.7.1)
+      activesupport (= 5.0.7.1)
       rack (~> 2.0)
       rack-test (~> 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.0.7)
-      activesupport (= 5.0.7)
+    actionview (5.0.7.1)
+      activesupport (= 5.0.7.1)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.0.7)
-      activesupport (= 5.0.7)
+    activejob (5.0.7.1)
+      activesupport (= 5.0.7.1)
       globalid (>= 0.3.6)
-    activemodel (5.0.7)
-      activesupport (= 5.0.7)
-    activerecord (5.0.7)
-      activemodel (= 5.0.7)
-      activesupport (= 5.0.7)
+    activemodel (5.0.7.1)
+      activesupport (= 5.0.7.1)
+    activerecord (5.0.7.1)
+      activemodel (= 5.0.7.1)
+      activesupport (= 5.0.7.1)
       arel (~> 7.0)
     activerecord_sane_schema_dumper (1.0)
       rails (>= 5, < 6)
-    activesupport (5.0.7)
+    activesupport (5.0.7.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -291,7 +291,7 @@ GEM
       omniauth (~> 1.3)
       pyu-ruby-sasl (>= 0.0.3.3, < 0.1)
       rubyntlm (~> 0.5)
-    globalid (0.4.1)
+    globalid (0.4.2)
       activesupport (>= 4.2.0)
     gon (6.2.0)
       actionpack (>= 3.0)
@@ -381,7 +381,7 @@ GEM
       json (~> 1.8)
       multi_xml (>= 0.5.2)
     httpclient (2.8.3)
-    i18n (1.1.1)
+    i18n (1.5.2)
       concurrent-ruby (~> 1.0)
     icalendar (2.4.1)
     ice_nine (0.11.2)
@@ -449,7 +449,7 @@ GEM
     loofah (2.2.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.7.0)
+    mail (2.7.1)
       mini_mime (>= 0.1.1)
     mail_room (0.9.1)
     memoist (0.16.0)
@@ -623,17 +623,17 @@ GEM
       rack
     rack-test (0.6.3)
       rack (>= 1.0)
-    rails (5.0.7)
-      actioncable (= 5.0.7)
-      actionmailer (= 5.0.7)
-      actionpack (= 5.0.7)
-      actionview (= 5.0.7)
-      activejob (= 5.0.7)
-      activemodel (= 5.0.7)
-      activerecord (= 5.0.7)
-      activesupport (= 5.0.7)
+    rails (5.0.7.1)
+      actioncable (= 5.0.7.1)
+      actionmailer (= 5.0.7.1)
+      actionpack (= 5.0.7.1)
+      actionview (= 5.0.7.1)
+      activejob (= 5.0.7.1)
+      activemodel (= 5.0.7.1)
+      activerecord (= 5.0.7.1)
+      activesupport (= 5.0.7.1)
       bundler (>= 1.3.0)
-      railties (= 5.0.7)
+      railties (= 5.0.7.1)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.2)
       actionpack (~> 5.x, >= 5.0.1)
@@ -649,15 +649,15 @@ GEM
     rails-i18n (5.1.1)
       i18n (>= 0.7, < 2)
       railties (>= 5.0, < 6)
-    railties (5.0.7)
-      actionpack (= 5.0.7)
-      activesupport (= 5.0.7)
+    railties (5.0.7.1)
+      actionpack (= 5.0.7.1)
+      activesupport (= 5.0.7.1)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rainbow (3.0.0)
     raindrops (0.18.0)
-    rake (12.3.1)
+    rake (12.3.2)
     rb-fsevent (0.10.2)
     rb-inotify (0.9.10)
       ffi (>= 0.5.0, < 2)
@@ -1095,7 +1095,7 @@ DEPENDENCIES
   rack-cors (~> 1.0.0)
   rack-oauth2 (~> 1.2.1)
   rack-proxy (~> 0.6.0)
-  rails (= 5.0.7)
+  rails (= 5.0.7.1)
   rails-controller-testing
   rails-deprecated_sanitizer (~> 1.0.3)
   rails-i18n (~> 5.1)
diff --git a/app/services/merge_requests/update_service.rb b/app/services/merge_requests/update_service.rb
index aacaf10d09c..1b447605a00 100644
--- a/app/services/merge_requests/update_service.rb
+++ b/app/services/merge_requests/update_service.rb
@@ -45,11 +45,13 @@ module MergeRequests
       end
 
       if merge_request.previous_changes.include?('assignee_id')
+        reassigned_merge_request_args = [merge_request, current_user]
+
         old_assignee_id = merge_request.previous_changes['assignee_id'].first
-        old_assignee = User.find(old_assignee_id) if old_assignee_id
+        reassigned_merge_request_args << User.find(old_assignee_id) if old_assignee_id
 
         create_assignee_note(merge_request)
-        notification_service.async.reassigned_merge_request(merge_request, current_user, old_assignee)
+        notification_service.async.reassigned_merge_request(*reassigned_merge_request_args)
         todo_service.reassigned_merge_request(merge_request, current_user)
       end
 
diff --git a/app/services/notification_service.rb b/app/services/notification_service.rb
index e24ef7f9c87..5df68e7a0ad 100644
--- a/app/services/notification_service.rb
+++ b/app/services/notification_service.rb
@@ -188,7 +188,7 @@ class NotificationService
   #  * merge_request assignee if their notification level is not Disabled
   #  * users with custom level checked with "reassign merge request"
   #
-  def reassigned_merge_request(merge_request, current_user, previous_assignee)
+  def reassigned_merge_request(merge_request, current_user, previous_assignee = nil)
     recipients = NotificationRecipientService.build_recipients(
       merge_request,
       current_user,
diff --git a/app/workers/mail_scheduler/notification_service_worker.rb b/app/workers/mail_scheduler/notification_service_worker.rb
index 4726e416182..c8ccaf0c487 100644
--- a/app/workers/mail_scheduler/notification_service_worker.rb
+++ b/app/workers/mail_scheduler/notification_service_worker.rb
@@ -8,14 +8,35 @@ module MailScheduler
     include MailSchedulerQueue
 
     def perform(meth, *args)
-      deserialized_args = ActiveJob::Arguments.deserialize(args)
+      check_arguments!(args)
 
+      deserialized_args = ActiveJob::Arguments.deserialize(args)
       notification_service.public_send(meth, *deserialized_args) # rubocop:disable GitlabSecurity/PublicSend
     rescue ActiveJob::DeserializationError
+      # No-op.
+      # This exception gets raised when an argument
+      # is correct (deserializeable), but it still cannot be deserialized.
+      # This can happen when an object has been deleted after
+      # rails passes this job to sidekiq, but before
+      # sidekiq gets it for execution.
+      # In this case just do nothing.
     end
 
     def self.perform_async(*args)
       super(*ActiveJob::Arguments.serialize(args))
     end
+
+    private
+
+    # If an argument is in the ActiveJob::Arguments::TYPE_WHITELIST list,
+    # it means the argument cannot be deserialized.
+    # Which means there's something wrong with our code.
+    def check_arguments!(args)
+      args.each do |arg|
+        if arg.class.in?(ActiveJob::Arguments::TYPE_WHITELIST)
+          raise(ArgumentError, "Argument `#{arg}` cannot be deserialized because of its type")
+        end
+      end
+    end
   end
 end
diff --git a/changelogs/unreleased/blackst0ne-bump-rails-cve-2018-16476.yml b/changelogs/unreleased/blackst0ne-bump-rails-cve-2018-16476.yml
new file mode 100644
index 00000000000..fc8af425779
--- /dev/null
+++ b/changelogs/unreleased/blackst0ne-bump-rails-cve-2018-16476.yml
@@ -0,0 +1,5 @@
+---
+title: Bump Ruby on Rails to 4.2.11
+merge_request:
+author: "@blackst0ne"
+type: security
diff --git a/spec/workers/mail_scheduler/notification_service_worker_spec.rb b/spec/workers/mail_scheduler/notification_service_worker_spec.rb
index e726f469816..1033557ee88 100644
--- a/spec/workers/mail_scheduler/notification_service_worker_spec.rb
+++ b/spec/workers/mail_scheduler/notification_service_worker_spec.rb
@@ -16,18 +16,22 @@ describe MailScheduler::NotificationServiceWorker do
       worker.perform(method, *serialize(key))
     end
 
-    # actionmailer wasn't actually upgraded from 4.2.10 to 4.2.11 in
-    # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23520.
-    #
-    # Attempting to run this spec in Rails 4 will fail until
-    # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23396
-    # is merged. Let's disable it since we are only using Rails 5 on
-    # this branch.
-    context 'when the arguments cannot be deserialized', :rails5 do
-      it 'does nothing' do
-        expect(worker.notification_service).not_to receive(method)
-
-        worker.perform(method, key.to_global_id.to_s.succ)
+    context 'when the arguments cannot be deserialized' do
+      context 'when the arguments are not deserializeable' do
+        it 'raises exception' do
+          expect(worker.notification_service).not_to receive(method)
+          expect { worker.perform(method, key.to_global_id.to_s.succ) }.to raise_exception(ArgumentError)
+        end
+      end
+
+      context 'when the arguments are deserializeable' do
+        it 'does nothing' do
+          serialized_arguments = *serialize(key)
+          key.destroy!
+
+          expect(worker.notification_service).not_to receive(method)
+          expect { worker.perform(method, serialized_arguments) }.not_to raise_exception
+        end
       end
     end
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-24 12:49:58 +0000
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-24 12:50:01 +0000
commit	52a93abb838105fb6eb4cb130161d7db2bb6f9c6 (patch)
tree	92e4cf0fefdbd4971cde9017506b858a6d0c21d9
parent	26faee772e6956c3949ee227fe1fbb81a90c6a30 (diff)
download	gitlab-ce-52a93abb838105fb6eb4cb130161d7db2bb6f9c6.tar.gz