diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-27 14:34:32 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-27 14:34:32 +0000 |
commit | 3625b2d802d094d92498a00b8206fba46948b348 (patch) | |
tree | cc46e7f9304dd45e9a8996243c876c191a0c6e03 | |
parent | 9d231b25b490c773c8a641f35b8308e1fbd525ac (diff) | |
download | gitlab-ce-3625b2d802d094d92498a00b8206fba46948b348.tar.gz |
Add latest changes from gitlab-org/security/gitlab@12-9-stable-ee
-rw-r--r-- | CHANGELOG-EE.md | 2 | ||||
-rw-r--r-- | CHANGELOG.md | 1 | ||||
-rw-r--r-- | app/helpers/projects_helper.rb | 1 | ||||
-rw-r--r-- | app/serializers/remote_mirror_entity.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/bug-codeowner-diffs.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-branch-permissions.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-mirror-urls.yml | 5 | ||||
-rw-r--r-- | spec/helpers/application_helper_spec.rb | 23 | ||||
-rw-r--r-- | spec/serializers/remote_mirror_entity_spec.rb | 7 | ||||
-rw-r--r--[-rwxr-xr-x] | vendor/gitignore/C++.gitignore | 0 | ||||
-rw-r--r--[-rwxr-xr-x] | vendor/gitignore/Java.gitignore | 0 |
11 files changed, 44 insertions, 7 deletions
diff --git a/CHANGELOG-EE.md b/CHANGELOG-EE.md index 6d1fb38d45d..80b075c9129 100644 --- a/CHANGELOG-EE.md +++ b/CHANGELOG-EE.md @@ -2,6 +2,8 @@ Please view this file on the master branch, on stable branches it's out of date. ## 12.9.4 (2020-04-16) +- No changes. +- No changes. ### Fixed (2 changes) - Update index_options to fix advanced search queries. !28712 diff --git a/CHANGELOG.md b/CHANGELOG.md index ab3acd003dd..ef15236375c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ entry. ## 12.9.4 (2020-04-16) - No changes. +- No changes. ### Fixed (5 changes, 1 of them is from the community) - Fix not working File upload from Project overview page. !26828 (Gilang Gumilar) diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb index cf9f3b9e924..8c362645354 100644 --- a/app/helpers/projects_helper.rb +++ b/app/helpers/projects_helper.rb @@ -622,6 +622,7 @@ module ProjectsHelper def find_file_path return unless @project && !@project.empty_repo? + return unless can?(current_user, :download_code, @project) ref = @ref || @project.repository.root_ref diff --git a/app/serializers/remote_mirror_entity.rb b/app/serializers/remote_mirror_entity.rb index 8835c6d4647..440e4274668 100644 --- a/app/serializers/remote_mirror_entity.rb +++ b/app/serializers/remote_mirror_entity.rb @@ -2,7 +2,7 @@ class RemoteMirrorEntity < Grape::Entity expose :id - expose :url + expose :safe_url, as: :url expose :enabled expose :auth_method diff --git a/changelogs/unreleased/bug-codeowner-diffs.yml b/changelogs/unreleased/bug-codeowner-diffs.yml new file mode 100644 index 00000000000..996628240ab --- /dev/null +++ b/changelogs/unreleased/bug-codeowner-diffs.yml @@ -0,0 +1,5 @@ +--- +title: Ensure MR diff exists before codeowner check +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-branch-permissions.yml b/changelogs/unreleased/security-branch-permissions.yml new file mode 100644 index 00000000000..6b8abe3eda6 --- /dev/null +++ b/changelogs/unreleased/security-branch-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Prevent unauthorized access to default branch +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-mirror-urls.yml b/changelogs/unreleased/security-mirror-urls.yml new file mode 100644 index 00000000000..774fe7758f7 --- /dev/null +++ b/changelogs/unreleased/security-mirror-urls.yml @@ -0,0 +1,5 @@ +--- +title: Return only safe urls for mirrors +merge_request: +author: +type: security diff --git a/spec/helpers/application_helper_spec.rb b/spec/helpers/application_helper_spec.rb index a67475e47a3..a96046735c8 100644 --- a/spec/helpers/application_helper_spec.rb +++ b/spec/helpers/application_helper_spec.rb @@ -277,11 +277,16 @@ describe ApplicationHelper do end context 'when @project is set' do - it 'includes all possible body data elements and associates the project elements with project' do - project = create(:project) + let_it_be(:project) { create(:project, :repository) } + let_it_be(:user) { create(:user) } + before do assign(:project, project) + allow(helper).to receive(:current_user).and_return(nil) + end + it 'includes all possible body data elements and associates the project elements with project' do + expect(helper).to receive(:can?).with(nil, :download_code, project) expect(helper.body_data).to eq( { page: 'application', @@ -302,12 +307,11 @@ describe ApplicationHelper do context 'when params[:id] is present and the issue exsits and action_name is show' do it 'sets all project and id elements correctly related to the issue' do - issue = create(:issue) + issue = create(:issue, project: project) stub_controller_method(:action_name, 'show') stub_controller_method(:params, { id: issue.id }) - assign(:project, issue.project) - + expect(helper).to receive(:can?).with(nil, :download_code, project).and_return(false) expect(helper.body_data).to eq( { page: 'projects:issues:show', @@ -322,6 +326,15 @@ describe ApplicationHelper do end end end + + context 'when current_user has download_code permission' do + it 'returns find_file with the default branch' do + allow(helper).to receive(:current_user).and_return(user) + + expect(helper).to receive(:can?).with(user, :download_code, project).and_return(true) + expect(helper.body_data[:find_file]).to end_with(project.default_branch) + end + end end def stub_controller_method(method_name, value) diff --git a/spec/serializers/remote_mirror_entity_spec.rb b/spec/serializers/remote_mirror_entity_spec.rb index 5f4aac213be..27472c46436 100644 --- a/spec/serializers/remote_mirror_entity_spec.rb +++ b/spec/serializers/remote_mirror_entity_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' describe RemoteMirrorEntity do - let(:project) { create(:project, :repository, :remote_mirror) } + let(:project) { create(:project, :repository, :remote_mirror, url: "https://test:password@gitlab.com") } let(:remote_mirror) { project.remote_mirrors.first } let(:entity) { described_class.new(remote_mirror) } @@ -15,4 +15,9 @@ describe RemoteMirrorEntity do :ssh_known_hosts, :ssh_public_key, :ssh_known_hosts_fingerprints ) end + + it 'does not expose password information' do + expect(subject[:url]).not_to include('password') + expect(subject[:url]).to eq(remote_mirror.safe_url) + end end diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore index 259148fa18f..259148fa18f 100755..100644 --- a/vendor/gitignore/C++.gitignore +++ b/vendor/gitignore/C++.gitignore diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore index a1c2a238a96..a1c2a238a96 100755..100644 --- a/vendor/gitignore/Java.gitignore +++ b/vendor/gitignore/Java.gitignore |