diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-10-27 10:15:45 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-10-27 10:15:58 +0000 |
commit | effd28b6d2d5c1fa7086ca6d4ea2fdee08f79ea9 (patch) | |
tree | 853009de7b5b9acb115c07217c5f48f13691f14e | |
parent | 689970fc7731f4dd919733433c236ad549ea5c5e (diff) | |
download | gitlab-ce-effd28b6d2d5c1fa7086ca6d4ea2fdee08f79ea9.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-2-stable-ee
-rw-r--r-- | app/models/namespace.rb | 11 | ||||
-rw-r--r-- | config/gitlab.yml.example | 6 | ||||
-rw-r--r-- | config/initializers/1_settings.rb | 3 | ||||
-rw-r--r-- | db/fixtures/production/002_admin.rb | 2 |
4 files changed, 15 insertions, 7 deletions
diff --git a/app/models/namespace.rb b/app/models/namespace.rb index 261639a4ec1..1f903eba712 100644 --- a/app/models/namespace.rb +++ b/app/models/namespace.rb @@ -26,6 +26,8 @@ class Namespace < ApplicationRecord SHARED_RUNNERS_SETTINGS = %w[disabled_and_unoverridable disabled_with_override enabled].freeze URL_MAX_LENGTH = 255 + PATH_TRAILING_VIOLATIONS = %w[.git .atom .].freeze + cache_markdown_field :description, pipeline: :description has_many :projects, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent @@ -162,9 +164,14 @@ class Namespace < ApplicationRecord # Remove everything that's not in the list of allowed characters. path.gsub!(/[^a-zA-Z0-9_\-\.]/, "") # Remove trailing violations ('.atom', '.git', or '.') - path.gsub!(/(\.atom|\.git|\.)*\z/, "") + loop do + orig = path + PATH_TRAILING_VIOLATIONS.each { |ext| path = path.chomp(ext) } + break if orig == path + end + # Remove leading violations ('-') - path.gsub!(/\A\-+/, "") + path.gsub!(/\A\-+/, "") # Users with the great usernames of "." or ".." would end up with a blank username. # Work around that by setting their username to "blank", followed by a counter. diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index f7b1c2f7567..36eeb7f8514 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -176,8 +176,10 @@ production: &base ## Application settings cache expiry in seconds (default: 60) # application_settings_cache_seconds: 60 - ## Print initial root password to stdout during initialization (default: true) - # display_initial_root_password: true + ## Print initial root password to stdout during initialization (default: false) + # WARNING: setting this to true means that the root password will be printed in + # plaintext. This can be a security risk. + # display_initial_root_password: false ## Reply by email # Allow users to comment on issues and merge requests by replying to notification emails. diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index e71f1e1b028..6d61755f033 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -217,8 +217,7 @@ Settings.gitlab['no_todos_messages'] ||= YAML.load_file(Rails.root.join('config' Settings.gitlab['impersonation_enabled'] ||= true if Settings.gitlab['impersonation_enabled'].nil? Settings.gitlab['usage_ping_enabled'] = true if Settings.gitlab['usage_ping_enabled'].nil? Settings.gitlab['max_request_duration_seconds'] ||= 57 - -Settings.gitlab['display_initial_root_password'] = true if Settings.gitlab['display_initial_root_password'].nil? +Settings.gitlab['display_initial_root_password'] = false if Settings.gitlab['display_initial_root_password'].nil? Gitlab.ee do Settings.gitlab['mirror_max_delay'] ||= 300 diff --git a/db/fixtures/production/002_admin.rb b/db/fixtures/production/002_admin.rb index b6a6da3a188..b4710bc3e97 100644 --- a/db/fixtures/production/002_admin.rb +++ b/db/fixtures/production/002_admin.rb @@ -26,7 +26,7 @@ if user.persisted? if ::Settings.gitlab['display_initial_root_password'] puts "password: #{user_args[:password]}".color(:green) else - puts "password: *** - You opted not to display initial root password to STDOUT." + puts "password: ******".color(:green) end else puts "password: You'll be prompted to create one on your first visit.".color(:green) |