summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-04-27 15:25:26 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-04-27 15:25:26 +0000
commit88725a6b87961c5f3052259f84208a6ccb943b34 (patch)
tree0d9a3366e66c03f74eba1f8ae2c4fb81912aa3bc
parented98b14d6293807e32a708faa5e33d2b5bb35282 (diff)
downloadgitlab-ce-88725a6b87961c5f3052259f84208a6ccb943b34.tar.gz
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
-rw-r--r--app/serializers/remote_mirror_entity.rb2
-rw-r--r--changelogs/unreleased/security-mirror-urls.yml5
-rw-r--r--spec/serializers/remote_mirror_entity_spec.rb7
-rwxr-xr-x[-rw-r--r--]vendor/gitignore/C++.gitignore0
-rwxr-xr-x[-rw-r--r--]vendor/gitignore/Java.gitignore0
5 files changed, 12 insertions, 2 deletions
diff --git a/app/serializers/remote_mirror_entity.rb b/app/serializers/remote_mirror_entity.rb
index 8835c6d4647..440e4274668 100644
--- a/app/serializers/remote_mirror_entity.rb
+++ b/app/serializers/remote_mirror_entity.rb
@@ -2,7 +2,7 @@
class RemoteMirrorEntity < Grape::Entity
expose :id
- expose :url
+ expose :safe_url, as: :url
expose :enabled
expose :auth_method
diff --git a/changelogs/unreleased/security-mirror-urls.yml b/changelogs/unreleased/security-mirror-urls.yml
new file mode 100644
index 00000000000..774fe7758f7
--- /dev/null
+++ b/changelogs/unreleased/security-mirror-urls.yml
@@ -0,0 +1,5 @@
+---
+title: Return only safe urls for mirrors
+merge_request:
+author:
+type: security
diff --git a/spec/serializers/remote_mirror_entity_spec.rb b/spec/serializers/remote_mirror_entity_spec.rb
index 5f4aac213be..27472c46436 100644
--- a/spec/serializers/remote_mirror_entity_spec.rb
+++ b/spec/serializers/remote_mirror_entity_spec.rb
@@ -3,7 +3,7 @@
require 'spec_helper'
describe RemoteMirrorEntity do
- let(:project) { create(:project, :repository, :remote_mirror) }
+ let(:project) { create(:project, :repository, :remote_mirror, url: "https://test:password@gitlab.com") }
let(:remote_mirror) { project.remote_mirrors.first }
let(:entity) { described_class.new(remote_mirror) }
@@ -15,4 +15,9 @@ describe RemoteMirrorEntity do
:ssh_known_hosts, :ssh_public_key, :ssh_known_hosts_fingerprints
)
end
+
+ it 'does not expose password information' do
+ expect(subject[:url]).not_to include('password')
+ expect(subject[:url]).to eq(remote_mirror.safe_url)
+ end
end
diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore
index 259148fa18f..259148fa18f 100644..100755
--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore
index a1c2a238a96..a1c2a238a96 100644..100755
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore