diff options
author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2021-01-07 15:51:33 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2021-01-07 15:51:33 +0000 |
commit | 0027e00e2ee1a581370530493eea9b0bfa597990 (patch) | |
tree | 48a5f484aaebaee782e29593635773540fa489e8 | |
parent | effcf70e63bcb411a43986a450a22aa8217d1de5 (diff) | |
parent | 2754dab2b1bc02e7ba0ad559761e6f50b3771e70 (diff) | |
download | gitlab-ce-0027e00e2ee1a581370530493eea9b0bfa597990.tar.gz |
Merge remote-tracking branch 'dev/13-6-stable' into 13-6-stable
-rw-r--r-- | CHANGELOG.md | 13 | ||||
-rw-r--r-- | GITALY_SERVER_VERSION | 2 | ||||
-rw-r--r-- | GITLAB_PAGES_VERSION | 2 | ||||
-rw-r--r-- | GITLAB_WORKHORSE_VERSION | 2 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | app/controllers/oauth/authorizations_controller.rb | 11 | ||||
-rw-r--r-- | app/controllers/projects/raw_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/projects/repositories_controller.rb | 2 | ||||
-rw-r--r-- | db/migrate/20201222151823_update_trusted_apps_to_confidential.rb | 23 | ||||
-rw-r--r-- | db/schema_migrations/20201222151823 | 1 | ||||
-rw-r--r-- | db/structure.sql | 2 | ||||
-rw-r--r-- | lib/api/nuget_packages.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/regex.rb | 13 | ||||
-rw-r--r-- | spec/controllers/oauth/authorizations_controller_spec.rb | 14 | ||||
-rw-r--r-- | spec/controllers/projects/raw_controller_spec.rb | 12 | ||||
-rw-r--r-- | spec/controllers/projects/repositories_controller_spec.rb | 12 | ||||
-rw-r--r-- | spec/lib/gitlab/regex_spec.rb | 6 |
17 files changed, 113 insertions, 8 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index b676ddad5fa..61d35535fa5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,19 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.6.4 (2021-01-07) + +### Security (7 changes) + +- Forbid public cache for private repos. +- Deny implicit flow for confidential apps. +- Update NuGet regular expression to protect against ReDoS. +- Fix regular expression backtracking issue in package name validation. +- Upgrade GitLab Pages to 1.30.2. +- Update trusted OAuth applications to set them as confidential. +- Upgrade Workhorse to 8.54.2. + + ## 13.6.3 (2020-12-10) ### Fixed (5 changes) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 06a348286f5..d59f23d1885 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -13.6.3
\ No newline at end of file +13.6.4
\ No newline at end of file diff --git a/GITLAB_PAGES_VERSION b/GITLAB_PAGES_VERSION index 034552a83ee..d1eaa3ba0b8 100644 --- a/GITLAB_PAGES_VERSION +++ b/GITLAB_PAGES_VERSION @@ -1 +1 @@ -1.30.0 +1.30.2 diff --git a/GITLAB_WORKHORSE_VERSION b/GITLAB_WORKHORSE_VERSION index a99caf2cdef..275754a681a 100644 --- a/GITLAB_WORKHORSE_VERSION +++ b/GITLAB_WORKHORSE_VERSION @@ -1 +1 @@ -8.54.0 +8.54.2 @@ -1 +1 @@ -13.6.3
\ No newline at end of file +13.6.4
\ No newline at end of file diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index 6e8686ee90b..ade698baa7f 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -24,6 +24,17 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController end end + def create + # Confidential apps require the client_secret to be sent with the request. + # Doorkeeper allows implicit grant flow requests (response_type=token) to + # work without client_secret regardless of the confidential setting. + if pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential + render "doorkeeper/authorizations/error" + else + super + end + end + private def verify_confirmed_email! diff --git a/app/controllers/projects/raw_controller.rb b/app/controllers/projects/raw_controller.rb index d8ba7e4f235..b7ba42a0ebc 100644 --- a/app/controllers/projects/raw_controller.rb +++ b/app/controllers/projects/raw_controller.rb @@ -21,7 +21,7 @@ class Projects::RawController < Projects::ApplicationController def show @blob = @repository.blob_at(@commit.id, @path) - send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: @project.public?) + send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: Guest.can?(:download_code, @project)) end private diff --git a/app/controllers/projects/repositories_controller.rb b/app/controllers/projects/repositories_controller.rb index fb6a09cff65..da018b24836 100644 --- a/app/controllers/projects/repositories_controller.rb +++ b/app/controllers/projects/repositories_controller.rb @@ -53,7 +53,7 @@ class Projects::RepositoriesController < Projects::ApplicationController end def set_cache_headers - expires_in cache_max_age(archive_metadata['CommitId']), public: project.public? + expires_in cache_max_age(archive_metadata['CommitId']), public: Guest.can?(:download_code, project) fresh_when(etag: archive_metadata['ArchivePath']) end diff --git a/db/migrate/20201222151823_update_trusted_apps_to_confidential.rb b/db/migrate/20201222151823_update_trusted_apps_to_confidential.rb new file mode 100644 index 00000000000..bcb94c65125 --- /dev/null +++ b/db/migrate/20201222151823_update_trusted_apps_to_confidential.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +class UpdateTrustedAppsToConfidential < ActiveRecord::Migration[6.0] + include Gitlab::Database::MigrationHelpers + + DOWNTIME = false + INDEX_NAME = 'tmp_index_oauth_applications_on_id_where_trusted' + + disable_ddl_transaction! + + def up + add_concurrent_index :oauth_applications, :id, where: 'trusted = true', name: INDEX_NAME + + execute('UPDATE oauth_applications SET confidential = true WHERE trusted = true') + end + + def down + # We won't be able to tell which trusted applications weren't confidential before the migration + # and setting all trusted applications are not confidential would introduce security issues + + remove_concurrent_index_by_name :oauth_applications, INDEX_NAME + end +end diff --git a/db/schema_migrations/20201222151823 b/db/schema_migrations/20201222151823 new file mode 100644 index 00000000000..914e96473a0 --- /dev/null +++ b/db/schema_migrations/20201222151823 @@ -0,0 +1 @@ +d3af120a74b4c55345ac7fb524395251cd3c1b3cd9685f711196a134f427845c
\ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index f29f9178a26..1ed6ea64eca 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -22367,6 +22367,8 @@ CREATE INDEX tmp_idx_index_issues_with_outdate_blocking_count ON issues USING bt CREATE INDEX tmp_index_for_email_unconfirmation_migration ON emails USING btree (id) WHERE (confirmed_at IS NOT NULL); +CREATE INDEX tmp_index_oauth_applications_on_id_where_trusted ON oauth_applications USING btree (id) WHERE (trusted = true); + CREATE UNIQUE INDEX unique_merge_request_metrics_by_merge_request_id ON merge_request_metrics USING btree (merge_request_id); CREATE UNIQUE INDEX vulnerability_feedback_unique_idx ON vulnerability_feedback USING btree (project_id, category, feedback_type, project_fingerprint); diff --git a/lib/api/nuget_packages.rb b/lib/api/nuget_packages.rb index 65a85f3c930..c4755f5fdc1 100644 --- a/lib/api/nuget_packages.rb +++ b/lib/api/nuget_packages.rb @@ -13,7 +13,7 @@ module API feature_category :package_registry POSITIVE_INTEGER_REGEX = %r{\A[1-9]\d*\z}.freeze - NON_NEGATIVE_INTEGER_REGEX = %r{\A0|[1-9]\d*\z}.freeze + NON_NEGATIVE_INTEGER_REGEX = %r{\A(0|[1-9]\d*)\z}.freeze PACKAGE_FILENAME = 'package.nupkg' diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb index 4ae6297f6f5..96f2b7570b3 100644 --- a/lib/gitlab/regex.rb +++ b/lib/gitlab/regex.rb @@ -27,7 +27,18 @@ module Gitlab end def package_name_regex - @package_name_regex ||= %r{\A\@?(([\w\-\.\+]*)\/)*([\w\-\.]+)@?(([\w\-\.\+]*)\/)*([\w\-\.]*)\z}.freeze + @package_name_regex ||= + %r{ + \A\@? + (?> # atomic group to prevent backtracking + (([\w\-\.\+]*)\/)*([\w\-\.]+) + ) + @? + (?> # atomic group to prevent backtracking + (([\w\-\.\+]*)\/)*([\w\-\.]*) + ) + \z + }x.freeze end def maven_file_name_regex diff --git a/spec/controllers/oauth/authorizations_controller_spec.rb b/spec/controllers/oauth/authorizations_controller_spec.rb index 23d472f6853..f811f13def8 100644 --- a/spec/controllers/oauth/authorizations_controller_spec.rb +++ b/spec/controllers/oauth/authorizations_controller_spec.rb @@ -95,6 +95,20 @@ RSpec.describe Oauth::AuthorizationsController do subject { post :create, params: params } include_examples 'OAuth Authorizations require confirmed user' + + context 'when application is confidential' do + before do + application.update(confidential: true) + params[:response_type] = 'token' + end + + it 'does not allow the implicit flow' do + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(response).to render_template('doorkeeper/authorizations/error') + end + end end describe 'DELETE #destroy' do diff --git a/spec/controllers/projects/raw_controller_spec.rb b/spec/controllers/projects/raw_controller_spec.rb index 43cf1a16051..e00a2a242f3 100644 --- a/spec/controllers/projects/raw_controller_spec.rb +++ b/spec/controllers/projects/raw_controller_spec.rb @@ -235,6 +235,18 @@ RSpec.describe Projects::RawController do expect(response.cache_control[:no_store]).to be_nil end + context 'when a public project has private repo' do + let(:project) { create(:project, :public, :repository, :repository_private) } + let(:user) { create(:user, maintainer_projects: [project]) } + + it 'does not set public caching header' do + sign_in user + request_file + + expect(response.header['Cache-Control']).to include('max-age=60, private') + end + end + context 'when If-None-Match header is set' do it 'returns a 304 status' do request_file diff --git a/spec/controllers/projects/repositories_controller_spec.rb b/spec/controllers/projects/repositories_controller_spec.rb index e7f4a8a1422..e6327a72a68 100644 --- a/spec/controllers/projects/repositories_controller_spec.rb +++ b/spec/controllers/projects/repositories_controller_spec.rb @@ -137,6 +137,18 @@ RSpec.describe Projects::RepositoriesController do expect(response.header['ETag']).to be_present expect(response.header['Cache-Control']).to include('max-age=60, public') end + + context 'and repo is private' do + let(:project) { create(:project, :repository, :public, :repository_private) } + + it 'sets appropriate caching headers' do + get_archive + + expect(response).to have_gitlab_http_status(:ok) + expect(response.header['ETag']).to be_present + expect(response.header['Cache-Control']).to include('max-age=60, private') + end + end end context 'when ref is a commit SHA' do diff --git a/spec/lib/gitlab/regex_spec.rb b/spec/lib/gitlab/regex_spec.rb index ebb37f45b95..776ca81a338 100644 --- a/spec/lib/gitlab/regex_spec.rb +++ b/spec/lib/gitlab/regex_spec.rb @@ -292,6 +292,12 @@ RSpec.describe Gitlab::Regex do it { is_expected.not_to match('my package name') } it { is_expected.not_to match('!!()()') } it { is_expected.not_to match("..\n..\foo") } + + it 'has no backtracking issue' do + Timeout.timeout(1) do + expect(subject).not_to match("-" * 50000 + ";") + end + end end describe '.maven_file_name_regex' do |