diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-06 19:18:04 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-06 19:18:04 +0000 |
| commit | bd200951d7e928b84bd5b4ef1210a56d688a03c9 (patch) | |
| tree | 498c9c8307267ae7b58ed7798120de9f6eaa9524 | |
| parent | 19e2b7faf7439992f9d91f4b053d25d956f3e83a (diff) | |
| download | gitlab-ce-bd200951d7e928b84bd5b4ef1210a56d688a03c9.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee
| -rw-r--r-- | GITLAB_PAGES_VERSION | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/security-package-regex-dos.yml | 5 | ||||
| -rw-r--r-- | changelogs/unreleased/security-pages-1-33.yml | 5 | ||||
| -rw-r--r-- | changelogs/unreleased/security-trusted-confidential-apps.yml | 5 | ||||
| -rw-r--r-- | db/migrate/20201222151823_update_trusted_apps_to_confidential.rb | 23 | ||||
| -rw-r--r-- | db/schema_migrations/20201222151823 | 1 | ||||
| -rw-r--r-- | db/structure.sql | 2 | ||||
| -rw-r--r-- | lib/gitlab/regex.rb | 13 | ||||
| -rw-r--r-- | spec/lib/gitlab/regex_spec.rb | 6 |
9 files changed, 60 insertions, 2 deletions
diff --git a/GITLAB_PAGES_VERSION b/GITLAB_PAGES_VERSION index 359c41089a4..2b17ffd5042 100644 --- a/GITLAB_PAGES_VERSION +++ b/GITLAB_PAGES_VERSION @@ -1 +1 @@ -1.32.0 +1.34.0 diff --git a/changelogs/unreleased/security-package-regex-dos.yml b/changelogs/unreleased/security-package-regex-dos.yml new file mode 100644 index 00000000000..79bec83526d --- /dev/null +++ b/changelogs/unreleased/security-package-regex-dos.yml @@ -0,0 +1,5 @@ +--- +title: Fix regular expression backtracking issue in package name validation +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-pages-1-33.yml b/changelogs/unreleased/security-pages-1-33.yml new file mode 100644 index 00000000000..d3ca056eefc --- /dev/null +++ b/changelogs/unreleased/security-pages-1-33.yml @@ -0,0 +1,5 @@ +--- +title: Fix stealing API token from GitLab Pages and DoS Prometheus through GitLab Pages +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-trusted-confidential-apps.yml b/changelogs/unreleased/security-trusted-confidential-apps.yml new file mode 100644 index 00000000000..b4f7a9eb448 --- /dev/null +++ b/changelogs/unreleased/security-trusted-confidential-apps.yml @@ -0,0 +1,5 @@ +--- +title: Update trusted OAuth applications to set them as confidential +merge_request: +author: +type: security diff --git a/db/migrate/20201222151823_update_trusted_apps_to_confidential.rb b/db/migrate/20201222151823_update_trusted_apps_to_confidential.rb new file mode 100644 index 00000000000..bcb94c65125 --- /dev/null +++ b/db/migrate/20201222151823_update_trusted_apps_to_confidential.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +class UpdateTrustedAppsToConfidential < ActiveRecord::Migration[6.0] + include Gitlab::Database::MigrationHelpers + + DOWNTIME = false + INDEX_NAME = 'tmp_index_oauth_applications_on_id_where_trusted' + + disable_ddl_transaction! + + def up + add_concurrent_index :oauth_applications, :id, where: 'trusted = true', name: INDEX_NAME + + execute('UPDATE oauth_applications SET confidential = true WHERE trusted = true') + end + + def down + # We won't be able to tell which trusted applications weren't confidential before the migration + # and setting all trusted applications are not confidential would introduce security issues + + remove_concurrent_index_by_name :oauth_applications, INDEX_NAME + end +end diff --git a/db/schema_migrations/20201222151823 b/db/schema_migrations/20201222151823 new file mode 100644 index 00000000000..914e96473a0 --- /dev/null +++ b/db/schema_migrations/20201222151823 @@ -0,0 +1 @@ +d3af120a74b4c55345ac7fb524395251cd3c1b3cd9685f711196a134f427845c
\ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 105b7701409..6380f64c64c 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -23004,6 +23004,8 @@ CREATE INDEX tmp_build_stage_position_index ON ci_builds USING btree (stage_id, CREATE INDEX tmp_index_for_email_unconfirmation_migration ON emails USING btree (id) WHERE (confirmed_at IS NOT NULL); +CREATE INDEX tmp_index_oauth_applications_on_id_where_trusted ON oauth_applications USING btree (id) WHERE (trusted = true); + CREATE INDEX tmp_index_on_vulnerabilities_non_dismissed ON vulnerabilities USING btree (id) WHERE (state <> 2); CREATE UNIQUE INDEX unique_merge_request_metrics_by_merge_request_id ON merge_request_metrics USING btree (merge_request_id); diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb index 4ae6297f6f5..96f2b7570b3 100644 --- a/lib/gitlab/regex.rb +++ b/lib/gitlab/regex.rb @@ -27,7 +27,18 @@ module Gitlab end def package_name_regex - @package_name_regex ||= %r{\A\@?(([\w\-\.\+]*)\/)*([\w\-\.]+)@?(([\w\-\.\+]*)\/)*([\w\-\.]*)\z}.freeze + @package_name_regex ||= + %r{ + \A\@? + (?> # atomic group to prevent backtracking + (([\w\-\.\+]*)\/)*([\w\-\.]+) + ) + @? + (?> # atomic group to prevent backtracking + (([\w\-\.\+]*)\/)*([\w\-\.]*) + ) + \z + }x.freeze end def maven_file_name_regex diff --git a/spec/lib/gitlab/regex_spec.rb b/spec/lib/gitlab/regex_spec.rb index ebb37f45b95..776ca81a338 100644 --- a/spec/lib/gitlab/regex_spec.rb +++ b/spec/lib/gitlab/regex_spec.rb @@ -292,6 +292,12 @@ RSpec.describe Gitlab::Regex do it { is_expected.not_to match('my package name') } it { is_expected.not_to match('!!()()') } it { is_expected.not_to match("..\n..\foo") } + + it 'has no backtracking issue' do + Timeout.timeout(1) do + expect(subject).not_to match("-" * 50000 + ";") + end + end end describe '.maven_file_name_regex' do |