Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

11 files changed, 43 insertions, 4 deletions

diff --git a/GITLAB_PAGES_VERSION b/GITLAB_PAGES_VERSION
index 034552a83ee..d1eaa3ba0b8 100644
--- a/GITLAB_PAGES_VERSION
+++ b/GITLAB_PAGES_VERSION
@@ -1 +1 @@
-1.30.0
+1.30.2
diff --git a/app/controllers/projects/raw_controller.rb b/app/controllers/projects/raw_controller.rb
index d8ba7e4f235..b7ba42a0ebc 100644
--- a/app/controllers/projects/raw_controller.rb
+++ b/app/controllers/projects/raw_controller.rb
@@ -21,7 +21,7 @@ class Projects::RawController < Projects::ApplicationController
   def show
     @blob = @repository.blob_at(@commit.id, @path)
 
-    send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: @project.public?)
+    send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: Guest.can?(:download_code, @project))
   end
 
   private
diff --git a/app/controllers/projects/repositories_controller.rb b/app/controllers/projects/repositories_controller.rb
index fb6a09cff65..da018b24836 100644
--- a/app/controllers/projects/repositories_controller.rb
+++ b/app/controllers/projects/repositories_controller.rb
@@ -53,7 +53,7 @@ class Projects::RepositoriesController < Projects::ApplicationController
   end
 
   def set_cache_headers
-    expires_in cache_max_age(archive_metadata['CommitId']), public: project.public?
+    expires_in cache_max_age(archive_metadata['CommitId']), public: Guest.can?(:download_code, project)
     fresh_when(etag: archive_metadata['ArchivePath'])
   end
 
diff --git a/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml b/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml
new file mode 100644
index 00000000000..20cd1659565
--- /dev/null
+++ b/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml
@@ -0,0 +1,5 @@
+---
+title: Forbid public cache for private repos
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-nuget-regex-update-redos.yml b/changelogs/unreleased/security-nuget-regex-update-redos.yml
new file mode 100644
index 00000000000..5182097b8b1
--- /dev/null
+++ b/changelogs/unreleased/security-nuget-regex-update-redos.yml
@@ -0,0 +1,5 @@
+---
+title: Update NuGet regular expression to protect against ReDoS
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-pages-1-30-1.yml b/changelogs/unreleased/security-pages-1-30-1.yml
new file mode 100644
index 00000000000..7ea5a838c14
--- /dev/null
+++ b/changelogs/unreleased/security-pages-1-30-1.yml
@@ -0,0 +1,5 @@
+---
+title: Upgrade GitLab Pages to 1.30.2
+merge_request:
+author:
+type: security
diff --git a/lib/api/nuget_packages.rb b/lib/api/nuget_packages.rb
index 65a85f3c930..c4755f5fdc1 100644
--- a/lib/api/nuget_packages.rb
+++ b/lib/api/nuget_packages.rb
@@ -13,7 +13,7 @@ module API
     feature_category :package_registry
 
     POSITIVE_INTEGER_REGEX = %r{\A[1-9]\d*\z}.freeze
-    NON_NEGATIVE_INTEGER_REGEX = %r{\A0|[1-9]\d*\z}.freeze
+    NON_NEGATIVE_INTEGER_REGEX = %r{\A(0|[1-9]\d*)\z}.freeze
 
     PACKAGE_FILENAME = 'package.nupkg'
 
diff --git a/spec/controllers/projects/raw_controller_spec.rb b/spec/controllers/projects/raw_controller_spec.rb
index 43cf1a16051..e00a2a242f3 100644
--- a/spec/controllers/projects/raw_controller_spec.rb
+++ b/spec/controllers/projects/raw_controller_spec.rb
@@ -235,6 +235,18 @@ RSpec.describe Projects::RawController do
         expect(response.cache_control[:no_store]).to be_nil
       end
 
+      context 'when a public project has private repo' do
+        let(:project) { create(:project, :public, :repository, :repository_private) }
+        let(:user) { create(:user, maintainer_projects: [project]) }
+
+        it 'does not set public caching header' do
+          sign_in user
+          request_file
+
+          expect(response.header['Cache-Control']).to include('max-age=60, private')
+        end
+      end
+
       context 'when If-None-Match header is set' do
         it 'returns a 304 status' do
           request_file
diff --git a/spec/controllers/projects/repositories_controller_spec.rb b/spec/controllers/projects/repositories_controller_spec.rb
index e7f4a8a1422..e6327a72a68 100644
--- a/spec/controllers/projects/repositories_controller_spec.rb
+++ b/spec/controllers/projects/repositories_controller_spec.rb
@@ -137,6 +137,18 @@ RSpec.describe Projects::RepositoriesController do
             expect(response.header['ETag']).to be_present
             expect(response.header['Cache-Control']).to include('max-age=60, public')
           end
+
+          context 'and repo is private' do
+            let(:project) { create(:project, :repository, :public, :repository_private) }
+
+            it 'sets appropriate caching headers' do
+              get_archive
+
+              expect(response).to have_gitlab_http_status(:ok)
+              expect(response.header['ETag']).to be_present
+              expect(response.header['Cache-Control']).to include('max-age=60, private')
+            end
+          end
         end
 
         context 'when ref is a commit SHA' do
diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore
index 259148fa18f..259148fa18f 100755..100644
--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore
index a1c2a238a96..a1c2a238a96 100755..100644
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore