diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-06-30 11:44:35 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-06-30 11:45:00 +0000 |
commit | 64ed8e1d79a385fef8bf3da630a1d5c5f9b9577b (patch) | |
tree | 9f2f8d0244ed217a6d0ffa8daf21b69f74f6c939 | |
parent | 484b5969a0bc74086355d7a3d64dc38278907e08 (diff) | |
download | gitlab-ce-64ed8e1d79a385fef8bf3da630a1d5c5f9b9577b.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee
-rw-r--r-- | Gemfile | 2 | ||||
-rw-r--r-- | Gemfile.lock | 4 | ||||
-rw-r--r-- | app/models/user.rb | 7 | ||||
-rw-r--r-- | locale/gitlab.pot | 3 | ||||
-rw-r--r-- | spec/models/user_spec.rb | 13 | ||||
-rw-r--r-- | spec/requests/api/projects_spec.rb | 2 | ||||
-rw-r--r-- | spec/requests/api/users_spec.rb | 2 |
7 files changed, 28 insertions, 5 deletions
@@ -157,7 +157,7 @@ gem 'github-markup', '~> 1.7.0', require: 'github/markup' gem 'commonmarker', '~> 0.21' gem 'kramdown', '~> 2.3.1' gem 'RedCloth', '~> 4.3.2' -gem 'rdoc', '~> 6.1.2' +gem 'gitlab-rdoc', '~> 6.3.2', require: 'rdoc' # We need this fork until rdoc releases a new version. See https://gitlab.com/gitlab-org/gitlab/-/issues/334695 gem 'org-ruby', '~> 0.9.12' gem 'creole', '~> 0.5.0' gem 'wikicloth', '0.8.1' diff --git a/Gemfile.lock b/Gemfile.lock index 8c94778a6f1..b6a2ff32257 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -483,6 +483,7 @@ GEM addressable (~> 2.7) omniauth (~> 1.9) openid_connect (~> 1.2) + gitlab-rdoc (6.3.2) gitlab-sidekiq-fetcher (0.5.6) sidekiq (~> 5) gitlab-styles (6.2.0) @@ -1008,7 +1009,6 @@ GEM msgpack (>= 0.4.3) optimist (>= 3.0.0) rchardet (1.8.0) - rdoc (6.1.2) re2 (1.2.0) recaptcha (4.13.1) json @@ -1485,6 +1485,7 @@ DEPENDENCIES gitlab-markup (~> 1.7.1) gitlab-net-dns (~> 0.9.1) gitlab-omniauth-openid-connect (~> 0.4.0) + gitlab-rdoc (~> 6.3.2) gitlab-sidekiq-fetcher (= 0.5.6) gitlab-styles (~> 6.2.0) gitlab_chronic_duration (~> 0.10.6.2) @@ -1594,7 +1595,6 @@ DEPENDENCIES raindrops (~> 0.18) rblineprof (~> 0.3.6) rbtrace (~> 0.4) - rdoc (~> 6.1.2) re2 (~> 1.2.0) recaptcha (~> 4.11) redis (~> 4.0) diff --git a/app/models/user.rb b/app/models/user.rb index 91a7a2bc9c3..5feb3485b84 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -238,6 +238,7 @@ class User < ApplicationRecord validate :owns_commit_email, if: :commit_email_changed? validate :signup_domain_valid?, on: :create, if: ->(user) { !user.created_by_id } validate :check_email_restrictions, on: :create, if: ->(user) { !user.created_by_id } + validate :check_username_format, if: :username_changed? validates :theme_id, allow_nil: true, inclusion: { in: Gitlab::Themes.valid_ids, message: _("%{placeholder} is not a valid theme") % { placeholder: '%{value}' } } @@ -2083,6 +2084,12 @@ class User < ApplicationRecord end end + def check_username_format + return if username.blank? || Mime::EXTENSION_LOOKUP.keys.none? { |type| username.end_with?(type) } + + errors.add(:username, _('ending with MIME type format is not allowed.')) + end + def groups_with_developer_maintainer_project_access project_creation_levels = [::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS] diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 1b2f0b26cda..9f94ae98a6c 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -38357,6 +38357,9 @@ msgstr "" msgid "encrypted: needs to be a :required, :optional or :migrating!" msgstr "" +msgid "ending with MIME type format is not allowed." +msgstr "" + msgid "entries cannot be larger than 255 characters" msgstr "" diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 2cd8d52a7c1..bce3083ab94 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -376,6 +376,19 @@ RSpec.describe User do expect(user.errors.full_messages).to eq(['Username has already been taken']) end end + + it 'validates format' do + Mime::EXTENSION_LOOKUP.keys.each do |type| + user = build(:user, username: "test.#{type}") + + expect(user).not_to be_valid + expect(user.errors.full_messages).to include('Username ending with MIME type format is not allowed.') + end + end + + it 'validates format on updated record' do + expect(create(:user).update(username: 'profile.html')).to be_falsey + end end it 'has a DB-level NOT NULL constraint on projects_limit' do diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index 7f804186bc7..dc7ee4098fe 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -56,7 +56,7 @@ RSpec.describe API::Projects do let_it_be(:project, reload: true) { create(:project, :repository, namespace: user.namespace) } let_it_be(:project2, reload: true) { create(:project, namespace: user.namespace) } let_it_be(:project_member) { create(:project_member, :developer, user: user3, project: project) } - let_it_be(:user4) { create(:user, username: 'user.with.dot') } + let_it_be(:user4) { create(:user, username: 'user.withdot') } let_it_be(:project3, reload: true) do create(:project, :private, diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb index 71fdd986f20..629576134a0 100644 --- a/spec/requests/api/users_spec.rb +++ b/spec/requests/api/users_spec.rb @@ -4,7 +4,7 @@ require 'spec_helper' RSpec.describe API::Users do let_it_be(:admin) { create(:admin) } - let_it_be(:user, reload: true) { create(:user, username: 'user.with.dot') } + let_it_be(:user, reload: true) { create(:user, username: 'user.withdot') } let_it_be(:key) { create(:key, user: user) } let_it_be(:gpg_key) { create(:gpg_key, user: user) } let_it_be(:email) { create(:email, user: user) } |