Add latest changes from gitlab-org/security/gitlab@12-7-stable-ee

8 files changed, 2 insertions, 83 deletions

diff --git a/changelogs/unreleased/security-dos-via-asciidoc-includes.yml b/changelogs/unreleased/security-dos-via-asciidoc-includes.yml
deleted file mode 100644
index 8fc3bd32316..00000000000
--- a/changelogs/unreleased/security-dos-via-asciidoc-includes.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Limit number of AsciiDoc includes per document
-merge_request:
-author:
-type: security
diff --git a/doc/user/asciidoc.md b/doc/user/asciidoc.md
index da6bf287955..b4d3cb58e97 100644
--- a/doc/user/asciidoc.md
+++ b/doc/user/asciidoc.md
@@ -221,11 +221,6 @@ include::basics.adoc[]
 include::https://example.org/installation.adoc[]
 ```
 
-To guarantee good system performance and prevent malicious documents causing
-problems, GitLab enforces a **maximum limit** on the number of include directives
-processed in any one document. Currently a total of 32 documents can be
-included, a number that is inclusive of transitive dependencies.
-
 ### Blocks
 
 ```asciidoc
diff --git a/lib/gitlab/asciidoc.rb b/lib/gitlab/asciidoc.rb
index 8d072422e17..da65caa6c9c 100644
--- a/lib/gitlab/asciidoc.rb
+++ b/lib/gitlab/asciidoc.rb
@@ -11,7 +11,6 @@ module Gitlab
   # the resulting HTML through HTML pipeline filters.
   module Asciidoc
     MAX_INCLUDE_DEPTH = 5
-    MAX_INCLUDES = 32
     DEFAULT_ADOC_ATTRS = {
         'showtitle' => true,
         'sectanchors' => true,
@@ -41,7 +40,6 @@ module Gitlab
                         extensions: extensions }
 
       context[:pipeline] = :ascii_doc
-      context[:max_includes] = [MAX_INCLUDES, context[:max_includes]].compact.min
 
       plantuml_setup
 
diff --git a/lib/gitlab/asciidoc/include_processor.rb b/lib/gitlab/asciidoc/include_processor.rb
index 53d1135a2d7..6e0b7ce60ba 100644
--- a/lib/gitlab/asciidoc/include_processor.rb
+++ b/lib/gitlab/asciidoc/include_processor.rb
@@ -14,8 +14,6 @@ module Gitlab
 
         @context = context
         @repository = context[:repository] || context[:project].try(:repository)
-        @max_includes = context[:max_includes].to_i
-        @included = []
 
         # Note: Asciidoctor calls #freeze on extensions, so we can't set new
         # instance variables after initialization.
@@ -30,11 +28,8 @@ module Gitlab
       def include_allowed?(target, reader)
         doc = reader.document
 
-        max_include_depth = doc.attributes.fetch('max-include-depth').to_i
-
-        return false if max_include_depth < 1
+        return false if doc.attributes.fetch('max-include-depth').to_i < 1
         return false if target_uri?(target)
-        return false if included.size >= max_includes
 
         true
       end
@@ -67,7 +62,7 @@ module Gitlab
 
       private
 
-      attr_reader :context, :repository, :cache, :max_includes, :included
+      attr_accessor :context, :repository, :cache
 
       # Gets a Blob at a path for a specific revision.
       # This method will check that the Blob exists and contains readable text.
@@ -82,8 +77,6 @@ module Gitlab
         raise 'Blob not found' unless blob
         raise 'File is not readable' unless blob.readable_text?
 
-        included << filename
-
         blob
       end
 
diff --git a/spec/lib/gitlab/asciidoc/include_processor_spec.rb b/spec/lib/gitlab/asciidoc/include_processor_spec.rb
deleted file mode 100644
index 5fec4d9e208..00000000000
--- a/spec/lib/gitlab/asciidoc/include_processor_spec.rb
+++ /dev/null
@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-require 'nokogiri'
-
-describe Gitlab::Asciidoc::IncludeProcessor do
-  let_it_be(:project) { create(:project, :repository) }
-
-  let(:processor_context) do
-    {
-      project: project,
-      max_includes: max_includes,
-      ref: ref
-    }
-  end
-  let(:ref) { project.repository.root_ref }
-  let(:max_includes) { 10 }
-
-  let(:reader) { Asciidoctor::PreprocessorReader.new(document, lines, 'file.adoc') }
-  let(:document) { Asciidoctor::Document.new(lines) }
-
-  subject(:processor) { described_class.new(processor_context) }
-
-  let(:a_blob) { double(:Blob, readable_text?: true, data: a_data) }
-  let(:a_data) { StringIO.new('include::b.adoc[]') }
-
-  let(:lines) { [':max-include-depth: 1000'] + Array.new(10, 'include::a.adoc[]') }
-
-  before do
-    allow(project.repository).to receive(:blob_at).with(ref, 'a.adoc').and_return(a_blob)
-  end
-
-  describe '#include_allowed?' do
-    it 'allows the first include' do
-      expect(processor.send(:include_allowed?, 'foo.adoc', reader)).to be_truthy
-    end
-
-    it 'disallows the Nth + 1 include' do
-      max_includes.times { processor.send(:read_blob, ref, 'a.adoc') }
-
-      expect(processor.send(:include_allowed?, 'foo.adoc', reader)).to be_falsey
-    end
-  end
-end
diff --git a/spec/lib/gitlab/asciidoc_spec.rb b/spec/lib/gitlab/asciidoc_spec.rb
index c7156a500d0..c8d159d1e84 100644
--- a/spec/lib/gitlab/asciidoc_spec.rb
+++ b/spec/lib/gitlab/asciidoc_spec.rb
@@ -425,24 +425,6 @@ module Gitlab
           create_file(current_file, "= AsciiDoc\n")
         end
 
-        def many_includes(target)
-          Array.new(10, "include::#{target}[]").join("\n")
-        end
-
-        context 'cyclic imports' do
-          before do
-            create_file('doc/api/a.adoc', many_includes('b.adoc'))
-            create_file('doc/api/b.adoc', many_includes('a.adoc'))
-          end
-
-          let(:include_path) { 'a.adoc' }
-          let(:requested_path) { 'doc/api/README.md' }
-
-          it 'completes successfully' do
-            is_expected.to include('<p>Include this:</p>')
-          end
-        end
-
         context 'with path to non-existing file' do
           let(:include_path) { 'not-exists.adoc' }
 
diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore
index 259148fa18f..259148fa18f 100644..100755
--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore
index a1c2a238a96..a1c2a238a96 100644..100755
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore