Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-02-03 11:38:45 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-02-03 11:38:45 +0000
commit: 9e97f2dd13dd6eaaad37c5e3dabc4c892f54ce56 (patch)
tree: 2002c82c752a092bbe729a8cba755eb53b6da25f
parent: 895d43a11429eb09535327a6800242e99ca31198 (diff)
download: gitlab-ce-9e97f2dd13dd6eaaad37c5e3dabc4c892f54ce56.tar.gz
10 files changed, 77 insertions, 21 deletions
diff --git a/app/workers/irker_worker.rb b/app/workers/irker_worker.rb
index 3097a9fbc03..4f51bb69b8c 100644
--- a/app/workers/irker_worker.rb
+++ b/app/workers/irker_worker.rb
@@ -2,6 +2,7 @@
 
 require 'json'
 require 'socket'
+require 'resolv'
 
 class IrkerWorker # rubocop:disable Scalability/IdempotentWorker
   include ApplicationWorker
@@ -43,9 +44,18 @@ class IrkerWorker # rubocop:disable Scalability/IdempotentWorker
   private
 
   def start_connection(irker_server, irker_port)
+    ip_address = Resolv.getaddress(irker_server)
+    # handle IP6 addresses
+    domain = Resolv::IPv6::Regex.match?(ip_address) ? "[#{ip_address}]" : ip_address
+
     begin
-      @socket = TCPSocket.new irker_server, irker_port
-    rescue Errno::ECONNREFUSED => e
+      Gitlab::UrlBlocker.validate!(
+        "irc://#{domain}",
+        allow_localhost: allow_local_requests?,
+        allow_local_network: allow_local_requests?,
+        schemes: ['irc'])
+      @socket = TCPSocket.new ip_address, irker_port
+    rescue Errno::ECONNREFUSED, Gitlab::UrlBlocker::BlockedUrlError => e
       logger.fatal "Can't connect to Irker daemon: #{e}"
       return false
     end
@@ -53,6 +63,10 @@ class IrkerWorker # rubocop:disable Scalability/IdempotentWorker
     true
   end
 
+  def allow_local_requests?
+    Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
+  end
+
   def send_to_irker(privmsg)
     to_send = { to: @channels, privmsg: privmsg }
 
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 5dd76cf4f9b..61b8f78d287 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -15493,7 +15493,7 @@ Represents an issue link of a vulnerability.
 | Name | Type | Description |
 | ---- | ---- | ----------- |
 | <a id="vulnerabilityissuelinkid"></a>`id` | [`ID!`](#id) | GraphQL ID of the vulnerability. |
-| <a id="vulnerabilityissuelinkissue"></a>`issue` | [`Issue!`](#issue) | Issue attached to issue link. |
+| <a id="vulnerabilityissuelinkissue"></a>`issue` | [`Issue`](#issue) | Issue attached to issue link. |
 | <a id="vulnerabilityissuelinklinktype"></a>`linkType` | [`VulnerabilityIssueLinkType!`](#vulnerabilityissuelinktype) | Type of the issue link. |
 
 ### `VulnerabilityLink`
diff --git a/lib/banzai/filter/blockquote_fence_filter.rb b/lib/banzai/filter/blockquote_fence_filter.rb
index 8f5ad9981e5..e07cbfe8d85 100644
--- a/lib/banzai/filter/blockquote_fence_filter.rb
+++ b/lib/banzai/filter/blockquote_fence_filter.rb
@@ -6,7 +6,7 @@ module Banzai
       REGEX = %r{
           #{::Gitlab::Regex.markdown_code_or_html_blocks}
         |
-          (?:
+          (?=^>>>\ *\n.*\n>>>\ *$)(?:
             # Blockquote:
             # >>>
             # Anything, including code and HTML blocks
diff --git a/package.json b/package.json
index 5016d75f74c..abaa38a5c59 100644
--- a/package.json
+++ b/package.json
@@ -125,7 +125,7 @@
     "dateformat": "^5.0.1",
     "deckar01-task_list": "^2.3.1",
     "diff": "^3.4.0",
-    "dompurify": "^2.3.3",
+    "dompurify": "^2.3.4",
     "dropzone": "^4.2.0",
     "editorconfig": "^0.15.3",
     "emoji-regex": "^7.0.3",
@@ -148,7 +148,7 @@
     "lowlight": "^1.20.0",
     "marked": "^0.3.12",
     "mathjax": "3",
-    "mermaid": "^8.13.4",
+    "mermaid": "^8.13.10",
     "minimatch": "^3.0.4",
     "monaco-editor": "^0.25.2",
     "monaco-editor-webpack-plugin": "^4.0.0",
diff --git a/spec/features/issues/user_comments_on_issue_spec.rb b/spec/features/issues/user_comments_on_issue_spec.rb
index 09d3ad15641..4083b2a9e99 100644
--- a/spec/features/issues/user_comments_on_issue_spec.rb
+++ b/spec/features/issues/user_comments_on_issue_spec.rb
@@ -49,7 +49,7 @@ RSpec.describe "User comments on issue", :js do
 
       add_note(comment)
 
-      expect(page.find('svg.mermaid')).to have_content html_content
+      expect(page.find('svg.mermaid')).not_to have_content html_content
       within('svg.mermaid') { expect(page).not_to have_selector('img') }
     end
 
diff --git a/spec/lib/banzai/filter/blockquote_fence_filter_spec.rb b/spec/lib/banzai/filter/blockquote_fence_filter_spec.rb
index e736943914b..2d326bd77a6 100644
--- a/spec/lib/banzai/filter/blockquote_fence_filter_spec.rb
+++ b/spec/lib/banzai/filter/blockquote_fence_filter_spec.rb
@@ -17,4 +17,14 @@ RSpec.describe Banzai::Filter::BlockquoteFenceFilter do
   it 'allows trailing whitespace on blockquote fence lines' do
     expect(filter(">>> \ntest\n>>> ")).to eq("\n> test\n")
   end
+
+  context 'when incomplete blockquote fences with multiple blocks are present' do
+    it 'does not raise timeout error' do
+      test_string = ">>>#{"\n```\nfoo\n```" * 20}"
+
+      expect do
+        Timeout.timeout(2.seconds) { filter(test_string) }
+      end.not_to raise_error
+    end
+  end
 end
diff --git a/spec/models/integrations/irker_spec.rb b/spec/models/integrations/irker_spec.rb
index 8b207e8b43e..8aea2c26dc5 100644
--- a/spec/models/integrations/irker_spec.rb
+++ b/spec/models/integrations/irker_spec.rb
@@ -2,6 +2,7 @@
 
 require 'spec_helper'
 require 'socket'
+require 'timeout'
 require 'json'
 
 RSpec.describe Integrations::Irker do
@@ -37,6 +38,7 @@ RSpec.describe Integrations::Irker do
     before do
       @irker_server = TCPServer.new 'localhost', 0
 
+      allow(Gitlab::CurrentSettings).to receive(:allow_local_requests_from_web_hooks_and_services?).and_return(true)
       allow(irker).to receive_messages(
         active: true,
         project: project,
@@ -58,13 +60,17 @@ RSpec.describe Integrations::Irker do
       irker.execute(sample_data)
 
       conn = @irker_server.accept
-      conn.each_line do |line|
-        msg = Gitlab::Json.parse(line.chomp("\n"))
-        expect(msg.keys).to match_array(%w(to privmsg))
-        expect(msg['to']).to match_array(["irc://chat.freenode.net/#commits",
-                                          "irc://test.net/#test"])
+
+      Timeout.timeout(5) do
+        conn.each_line do |line|
+          msg = Gitlab::Json.parse(line.chomp("\n"))
+          expect(msg.keys).to match_array(%w(to privmsg))
+          expect(msg['to']).to match_array(["irc://chat.freenode.net/#commits",
+                                            "irc://test.net/#test"])
+        end
       end
-      conn.close
+    ensure
+      conn.close if conn
     end
   end
 end
diff --git a/spec/support/helpers/dns_helpers.rb b/spec/support/helpers/dns_helpers.rb
index ba32ccbb6f1..b941e7c4808 100644
--- a/spec/support/helpers/dns_helpers.rb
+++ b/spec/support/helpers/dns_helpers.rb
@@ -23,7 +23,15 @@ module DnsHelpers
   end
 
   def permit_local_dns!
-    local_addresses = /\A(127|10)\.0\.0\.\d{1,3}|(192\.168|172\.16)\.\d{1,3}\.\d{1,3}|0\.0\.0\.0|localhost\z/i
+    local_addresses = %r{
+      \A
+      ::1? |                                    # IPV6
+      (127|10)\.0\.0\.\d{1,3} |                 # 127.0.0.x or 10.0.0.x local network
+      (192\.168|172\.16)\.\d{1,3}\.\d{1,3} |    # 192.168.x.x or 172.16.x.x local network
+      0\.0\.0\.0 |                              # loopback
+      localhost
+      \z
+    }xi
     allow(Addrinfo).to receive(:getaddrinfo).with(local_addresses, anything, nil, :STREAM).and_call_original
     allow(Addrinfo).to receive(:getaddrinfo).with(local_addresses, anything, nil, :STREAM, anything, anything, any_args).and_call_original
   end
diff --git a/spec/workers/irker_worker_spec.rb b/spec/workers/irker_worker_spec.rb
index aa1f1d2fe1d..c3d40ad2783 100644
--- a/spec/workers/irker_worker_spec.rb
+++ b/spec/workers/irker_worker_spec.rb
@@ -21,7 +21,7 @@ RSpec.describe IrkerWorker, '#perform' do
       channels,
       false,
       push_data,
-      server_settings
+      HashWithIndifferentAccess.new(server_settings)
     ]
   end
 
@@ -35,6 +35,14 @@ RSpec.describe IrkerWorker, '#perform' do
     allow(tcp_socket).to receive(:close).and_return(true)
   end
 
+  context 'local requests are not allowed' do
+    before do
+      allow(Gitlab::CurrentSettings).to receive(:allow_local_requests_from_web_hooks_and_services?).and_return(false)
+    end
+
+    it { expect(worker.perform(*arguments)).to be_falsey }
+  end
+
   context 'connection fails' do
     before do
       allow(TCPSocket).to receive(:new).and_raise(Errno::ECONNREFUSED.new('test'))
@@ -44,6 +52,11 @@ RSpec.describe IrkerWorker, '#perform' do
   end
 
   context 'connection successful' do
+    before do
+      allow(Gitlab::CurrentSettings)
+        .to receive(:allow_local_requests_from_web_hooks_and_services?).and_return(true)
+    end
+
     it { expect(subject.perform(*arguments)).to be_truthy }
 
     context 'new branch' do
diff --git a/yarn.lock b/yarn.lock
index 4e493812ead..2b5e209c495 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -4918,11 +4918,16 @@ domhandler@^4.0.0, domhandler@^4.2.0:
   dependencies:
     domelementtype "^2.2.0"
 
-dompurify@2.3.3, dompurify@^2.3.3:
+dompurify@^2.3.3:
   version "2.3.3"
   resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.3.3.tgz#c1af3eb88be47324432964d8abc75cf4b98d634c"
   integrity sha512-dqnqRkPMAjOZE0FogZ+ceJNM2dZ3V/yNOuFB7+39qpO93hHhfRpHw3heYQC7DPK9FqbQTfBKUJhiSfz4MvXYwg==
 
+dompurify@2.3.4, dompurify@^2.3.4:
+  version "2.3.4"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.3.4.tgz#1cf5cf0105ccb4debdf6db162525bd41e6ddacc6"
+  integrity sha512-6BVcgOAVFXjI0JTjEvZy901Rghm+7fDQOrNIcxB4+gdhj6Kwp6T9VBhBY/AbagKHJocRkDYGd6wvI+p4/10xtQ==
+
 domutils@^1.5.1:
   version "1.7.0"
   resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.7.0.tgz#56ea341e834e06e6748af7a1cb25da67ea9f8c2a"
@@ -8440,16 +8445,16 @@ merge2@^1.3.0:
   resolved "https://registry.yarnpkg.com/merge2/-/merge2-1.4.1.tgz#4368892f885e907455a6fd7dc55c0c9d404990ae"
   integrity sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==
 
-mermaid@^8.13.4:
-  version "8.13.4"
-  resolved "https://registry.yarnpkg.com/mermaid/-/mermaid-8.13.4.tgz#924cb85f39380285e0a99f245c66cfa61014a2e1"
-  integrity sha512-zdWtsXabVy1PEAE25Jkm4zbTDlQe8rqNlTMq2B3j+D+NxDskJEY5OsgalarvNLsw+b5xFa1a8D1xcm/PijrDow==
+mermaid@^8.13.10:
+  version "8.13.10"
+  resolved "https://registry.yarnpkg.com/mermaid/-/mermaid-8.13.10.tgz#b9d733b178bbf7416b9b46e39d566c7c28b75688"
+  integrity sha512-2ANep359uML87+wiYaWSu83eg9Qc0xCLnNJdCh100m4v0orS3fp8SScsZLcDSElRGHi+1zuVJsEEVEWH05+COQ==
   dependencies:
     "@braintree/sanitize-url" "^3.1.0"
     d3 "^7.0.0"
     dagre "^0.8.5"
     dagre-d3 "^0.6.4"
-    dompurify "2.3.3"
+    dompurify "2.3.4"
     graphlib "^2.1.8"
     khroma "^1.4.1"
     moment-mini "^2.24.0"
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-02-03 11:38:45 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-02-03 11:38:45 +0000
commit	9e97f2dd13dd6eaaad37c5e3dabc4c892f54ce56 (patch)
tree	2002c82c752a092bbe729a8cba755eb53b6da25f
parent	895d43a11429eb09535327a6800242e99ca31198 (diff)
download	gitlab-ce-9e97f2dd13dd6eaaad37c5e3dabc4c892f54ce56.tar.gz