diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-06 19:15:50 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-06 19:15:50 +0000 |
commit | 30235c34b0a56de6f7acde24e6fba7a0116a2e02 (patch) | |
tree | 5ce458a87593a3ce451959a9eea4b7a6845d7bd7 | |
parent | effcf70e63bcb411a43986a450a22aa8217d1de5 (diff) | |
download | gitlab-ce-30235c34b0a56de6f7acde24e6fba7a0116a2e02.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee
-rw-r--r-- | GITLAB_PAGES_VERSION | 2 | ||||
-rw-r--r-- | app/controllers/projects/raw_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/projects/repositories_controller.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-nuget-regex-update-redos.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-pages-1-30-1.yml | 5 | ||||
-rw-r--r-- | lib/api/nuget_packages.rb | 2 | ||||
-rw-r--r-- | spec/controllers/projects/raw_controller_spec.rb | 12 | ||||
-rw-r--r-- | spec/controllers/projects/repositories_controller_spec.rb | 12 | ||||
-rw-r--r--[-rwxr-xr-x] | vendor/gitignore/C++.gitignore | 0 | ||||
-rw-r--r--[-rwxr-xr-x] | vendor/gitignore/Java.gitignore | 0 |
11 files changed, 43 insertions, 4 deletions
diff --git a/GITLAB_PAGES_VERSION b/GITLAB_PAGES_VERSION index 034552a83ee..d1eaa3ba0b8 100644 --- a/GITLAB_PAGES_VERSION +++ b/GITLAB_PAGES_VERSION @@ -1 +1 @@ -1.30.0 +1.30.2 diff --git a/app/controllers/projects/raw_controller.rb b/app/controllers/projects/raw_controller.rb index d8ba7e4f235..b7ba42a0ebc 100644 --- a/app/controllers/projects/raw_controller.rb +++ b/app/controllers/projects/raw_controller.rb @@ -21,7 +21,7 @@ class Projects::RawController < Projects::ApplicationController def show @blob = @repository.blob_at(@commit.id, @path) - send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: @project.public?) + send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: Guest.can?(:download_code, @project)) end private diff --git a/app/controllers/projects/repositories_controller.rb b/app/controllers/projects/repositories_controller.rb index fb6a09cff65..da018b24836 100644 --- a/app/controllers/projects/repositories_controller.rb +++ b/app/controllers/projects/repositories_controller.rb @@ -53,7 +53,7 @@ class Projects::RepositoriesController < Projects::ApplicationController end def set_cache_headers - expires_in cache_max_age(archive_metadata['CommitId']), public: project.public? + expires_in cache_max_age(archive_metadata['CommitId']), public: Guest.can?(:download_code, project) fresh_when(etag: archive_metadata['ArchivePath']) end diff --git a/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml b/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml new file mode 100644 index 00000000000..20cd1659565 --- /dev/null +++ b/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml @@ -0,0 +1,5 @@ +--- +title: Forbid public cache for private repos +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-nuget-regex-update-redos.yml b/changelogs/unreleased/security-nuget-regex-update-redos.yml new file mode 100644 index 00000000000..5182097b8b1 --- /dev/null +++ b/changelogs/unreleased/security-nuget-regex-update-redos.yml @@ -0,0 +1,5 @@ +--- +title: Update NuGet regular expression to protect against ReDoS +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-pages-1-30-1.yml b/changelogs/unreleased/security-pages-1-30-1.yml new file mode 100644 index 00000000000..7ea5a838c14 --- /dev/null +++ b/changelogs/unreleased/security-pages-1-30-1.yml @@ -0,0 +1,5 @@ +--- +title: Upgrade GitLab Pages to 1.30.2 +merge_request: +author: +type: security diff --git a/lib/api/nuget_packages.rb b/lib/api/nuget_packages.rb index 65a85f3c930..c4755f5fdc1 100644 --- a/lib/api/nuget_packages.rb +++ b/lib/api/nuget_packages.rb @@ -13,7 +13,7 @@ module API feature_category :package_registry POSITIVE_INTEGER_REGEX = %r{\A[1-9]\d*\z}.freeze - NON_NEGATIVE_INTEGER_REGEX = %r{\A0|[1-9]\d*\z}.freeze + NON_NEGATIVE_INTEGER_REGEX = %r{\A(0|[1-9]\d*)\z}.freeze PACKAGE_FILENAME = 'package.nupkg' diff --git a/spec/controllers/projects/raw_controller_spec.rb b/spec/controllers/projects/raw_controller_spec.rb index 43cf1a16051..e00a2a242f3 100644 --- a/spec/controllers/projects/raw_controller_spec.rb +++ b/spec/controllers/projects/raw_controller_spec.rb @@ -235,6 +235,18 @@ RSpec.describe Projects::RawController do expect(response.cache_control[:no_store]).to be_nil end + context 'when a public project has private repo' do + let(:project) { create(:project, :public, :repository, :repository_private) } + let(:user) { create(:user, maintainer_projects: [project]) } + + it 'does not set public caching header' do + sign_in user + request_file + + expect(response.header['Cache-Control']).to include('max-age=60, private') + end + end + context 'when If-None-Match header is set' do it 'returns a 304 status' do request_file diff --git a/spec/controllers/projects/repositories_controller_spec.rb b/spec/controllers/projects/repositories_controller_spec.rb index e7f4a8a1422..e6327a72a68 100644 --- a/spec/controllers/projects/repositories_controller_spec.rb +++ b/spec/controllers/projects/repositories_controller_spec.rb @@ -137,6 +137,18 @@ RSpec.describe Projects::RepositoriesController do expect(response.header['ETag']).to be_present expect(response.header['Cache-Control']).to include('max-age=60, public') end + + context 'and repo is private' do + let(:project) { create(:project, :repository, :public, :repository_private) } + + it 'sets appropriate caching headers' do + get_archive + + expect(response).to have_gitlab_http_status(:ok) + expect(response.header['ETag']).to be_present + expect(response.header['Cache-Control']).to include('max-age=60, private') + end + end end context 'when ref is a commit SHA' do diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore index 259148fa18f..259148fa18f 100755..100644 --- a/vendor/gitignore/C++.gitignore +++ b/vendor/gitignore/C++.gitignore diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore index a1c2a238a96..a1c2a238a96 100755..100644 --- a/vendor/gitignore/Java.gitignore +++ b/vendor/gitignore/Java.gitignore |