diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-27 15:25:26 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-27 15:25:26 +0000 |
commit | 88725a6b87961c5f3052259f84208a6ccb943b34 (patch) | |
tree | 0d9a3366e66c03f74eba1f8ae2c4fb81912aa3bc | |
parent | ed98b14d6293807e32a708faa5e33d2b5bb35282 (diff) | |
download | gitlab-ce-88725a6b87961c5f3052259f84208a6ccb943b34.tar.gz |
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
-rw-r--r-- | app/serializers/remote_mirror_entity.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-mirror-urls.yml | 5 | ||||
-rw-r--r-- | spec/serializers/remote_mirror_entity_spec.rb | 7 | ||||
-rwxr-xr-x[-rw-r--r--] | vendor/gitignore/C++.gitignore | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | vendor/gitignore/Java.gitignore | 0 |
5 files changed, 12 insertions, 2 deletions
diff --git a/app/serializers/remote_mirror_entity.rb b/app/serializers/remote_mirror_entity.rb index 8835c6d4647..440e4274668 100644 --- a/app/serializers/remote_mirror_entity.rb +++ b/app/serializers/remote_mirror_entity.rb @@ -2,7 +2,7 @@ class RemoteMirrorEntity < Grape::Entity expose :id - expose :url + expose :safe_url, as: :url expose :enabled expose :auth_method diff --git a/changelogs/unreleased/security-mirror-urls.yml b/changelogs/unreleased/security-mirror-urls.yml new file mode 100644 index 00000000000..774fe7758f7 --- /dev/null +++ b/changelogs/unreleased/security-mirror-urls.yml @@ -0,0 +1,5 @@ +--- +title: Return only safe urls for mirrors +merge_request: +author: +type: security diff --git a/spec/serializers/remote_mirror_entity_spec.rb b/spec/serializers/remote_mirror_entity_spec.rb index 5f4aac213be..27472c46436 100644 --- a/spec/serializers/remote_mirror_entity_spec.rb +++ b/spec/serializers/remote_mirror_entity_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' describe RemoteMirrorEntity do - let(:project) { create(:project, :repository, :remote_mirror) } + let(:project) { create(:project, :repository, :remote_mirror, url: "https://test:password@gitlab.com") } let(:remote_mirror) { project.remote_mirrors.first } let(:entity) { described_class.new(remote_mirror) } @@ -15,4 +15,9 @@ describe RemoteMirrorEntity do :ssh_known_hosts, :ssh_public_key, :ssh_known_hosts_fingerprints ) end + + it 'does not expose password information' do + expect(subject[:url]).not_to include('password') + expect(subject[:url]).to eq(remote_mirror.safe_url) + end end diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore index 259148fa18f..259148fa18f 100644..100755 --- a/vendor/gitignore/C++.gitignore +++ b/vendor/gitignore/C++.gitignore diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore index a1c2a238a96..a1c2a238a96 100644..100755 --- a/vendor/gitignore/Java.gitignore +++ b/vendor/gitignore/Java.gitignore |