diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 14:12:22 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 14:12:50 +0000 |
commit | c692ef42c01f3fec6841f0000fff8f2bce1ea06e (patch) | |
tree | 71274861fcc8980826ce01767e12f5d9b552f094 | |
parent | ee242ee85e91bf2918fbcbb74ace3b5c66fa79dc (diff) | |
download | gitlab-ce-c692ef42c01f3fec6841f0000fff8f2bce1ea06e.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-0-stable-ee
-rw-r--r-- | .rubocop_todo/layout/line_length.yml | 1 | ||||
-rw-r--r-- | app/finders/packages/conan/package_finder.rb | 2 | ||||
-rw-r--r-- | db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb | 25 | ||||
-rw-r--r-- | db/schema_migrations/20220520120637 | 1 | ||||
-rw-r--r-- | db/structure.sql | 2 | ||||
-rw-r--r-- | doc/user/group/index.md | 3 | ||||
-rw-r--r-- | lib/gitlab/jira/dvcs.rb | 3 | ||||
-rw-r--r-- | locale/gitlab.pot | 3 | ||||
-rw-r--r-- | spec/finders/packages/conan/package_finder_spec.rb | 51 | ||||
-rw-r--r-- | spec/requests/jira_routing_spec.rb | 54 | ||||
-rw-r--r-- | spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb | 67 |
11 files changed, 166 insertions, 46 deletions
diff --git a/.rubocop_todo/layout/line_length.yml b/.rubocop_todo/layout/line_length.yml index a9200ee9fba..6eebd8b1040 100644 --- a/.rubocop_todo/layout/line_length.yml +++ b/.rubocop_todo/layout/line_length.yml @@ -1974,7 +1974,6 @@ Layout/LineLength: - 'ee/spec/features/groups/iterations/user_edits_iteration_spec.rb' - 'ee/spec/features/groups/iterations/user_views_iteration_cadence_spec.rb' - 'ee/spec/features/groups/iterations/user_views_iteration_spec.rb' - - 'ee/spec/features/groups/members/manage_groups_spec.rb' - 'ee/spec/features/groups/members/manage_members_spec.rb' - 'ee/spec/features/groups/members/override_ldap_memberships_spec.rb' - 'ee/spec/features/groups/saml_providers_spec.rb' diff --git a/app/finders/packages/conan/package_finder.rb b/app/finders/packages/conan/package_finder.rb index 8ebdd358ba6..210b37635b3 100644 --- a/app/finders/packages/conan/package_finder.rb +++ b/app/finders/packages/conan/package_finder.rb @@ -25,7 +25,7 @@ module Packages end def projects_visible_to_current_user - ::Project.public_or_visible_to_user(current_user) + ::Project.public_or_visible_to_user(current_user, ::Gitlab::Access::REPORTER) end end end diff --git a/db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb b/db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb new file mode 100644 index 00000000000..b26d1f5429a --- /dev/null +++ b/db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true + +class AddInstallableConanPackagesIndexToPackages < Gitlab::Database::Migration[2.0] + disable_ddl_transaction! + + INDEX_NAME = 'idx_installable_conan_pkgs_on_project_id_id' + # as defined by Packages::Package.package_types + CONAN_PACKAGE_TYPE = 3 + + # as defined by Packages::Package::INSTALLABLE_STATUSES + DEFAULT_STATUS = 0 + HIDDEN_STATUS = 1 + + def up + where = "package_type = #{CONAN_PACKAGE_TYPE} AND status IN (#{DEFAULT_STATUS}, #{HIDDEN_STATUS})" + add_concurrent_index :packages_packages, + [:project_id, :id], + where: where, + name: INDEX_NAME + end + + def down + remove_concurrent_index_by_name :packages_packages, INDEX_NAME + end +end diff --git a/db/schema_migrations/20220520120637 b/db/schema_migrations/20220520120637 new file mode 100644 index 00000000000..f379ef0d581 --- /dev/null +++ b/db/schema_migrations/20220520120637 @@ -0,0 +1 @@ +1fdb60b1c72b687aa8bede083ac7038097d538dc815e334d74296b1d39c2acb8
\ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index fa9d9e8f778..165f501120e 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -26607,6 +26607,8 @@ CREATE UNIQUE INDEX idx_environment_merge_requests_unique_index ON deployment_me CREATE INDEX idx_geo_con_rep_updated_events_on_container_repository_id ON geo_container_repository_updated_events USING btree (container_repository_id); +CREATE INDEX idx_installable_conan_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id) WHERE ((package_type = 3) AND (status = ANY (ARRAY[0, 1]))); + CREATE INDEX idx_installable_helm_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id); CREATE INDEX idx_installable_npm_pkgs_on_project_id_name_version_id ON packages_packages USING btree (project_id, name, version, id) WHERE ((package_type = 2) AND (status = 0)); diff --git a/doc/user/group/index.md b/doc/user/group/index.md index 87146329031..e99dfc738cf 100644 --- a/doc/user/group/index.md +++ b/doc/user/group/index.md @@ -644,6 +644,7 @@ To restrict group access by IP address: > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7297) in GitLab 12.2. > - Support for specifying multiple email domains [added](https://gitlab.com/gitlab-org/gitlab/-/issues/33143) in GitLab 13.1. > - Support for restricting access to projects in the group [added](https://gitlab.com/gitlab-org/gitlab/-/issues/14004) in GitLab 14.1.2. +> - Support for restricting group memberships to groups with a subset of the allowed email domains [added](https://gitlab.com/gitlab-org/gitlab/-/issues/354791) in GitLab 15.0.1 You can prevent users with email addresses in specific domains from being added to a group and its projects. @@ -666,6 +667,8 @@ The most popular public email domains cannot be restricted, such as: - `hotmail.com`, `hotmail.co.uk`, `hotmail.fr` - `msn.com`, `live.com`, `outlook.com` +When you share a group, both the source and target namespaces must allow the domains of the members' email addresses. + ## Group file templates **(PREMIUM)** Use group file templates to share a set of templates for common file diff --git a/lib/gitlab/jira/dvcs.rb b/lib/gitlab/jira/dvcs.rb index ddf2cd76709..41a039674b3 100644 --- a/lib/gitlab/jira/dvcs.rb +++ b/lib/gitlab/jira/dvcs.rb @@ -38,7 +38,8 @@ module Gitlab # @param [String] namespace def self.restore_full_path(namespace:, project:) if project.include?(ENCODED_SLASH) - project.gsub(ENCODED_SLASH, SLASH) + # Replace multiple slashes with single ones to make sure the redirect stays on the same host + project.gsub(ENCODED_SLASH, SLASH).gsub(%r{\/{2,}}, '/') else "#{namespace}/#{project}" end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 96137675f03..58da605053b 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -21039,6 +21039,9 @@ msgstr "" msgid "Invited" msgstr "" +msgid "Invited group allowed email domains must contain a subset of the allowed email domains of the root ancestor group. Go to the group's 'Settings > General' page and check 'Restrict membership by email domain'." +msgstr "" + msgid "IrkerService|Channels and users separated by whitespaces. %{recipients_docs_link}" msgstr "" diff --git a/spec/finders/packages/conan/package_finder_spec.rb b/spec/finders/packages/conan/package_finder_spec.rb index b26f8900090..6848786818b 100644 --- a/spec/finders/packages/conan/package_finder_spec.rb +++ b/spec/finders/packages/conan/package_finder_spec.rb @@ -2,22 +2,53 @@ require 'spec_helper' RSpec.describe ::Packages::Conan::PackageFinder do + using RSpec::Parameterized::TableSyntax + + let_it_be_with_reload(:project) { create(:project) } let_it_be(:user) { create(:user) } - let_it_be(:project) { create(:project, :public) } + let_it_be(:private_project) { create(:project, :private) } + + let_it_be(:conan_package) { create(:conan_package, project: project) } + let_it_be(:conan_package2) { create(:conan_package, project: project) } + let_it_be(:errored_package) { create(:conan_package, :error, project: project) } + let_it_be(:private_package) { create(:conan_package, project: private_project) } describe '#execute' do - let!(:conan_package) { create(:conan_package, project: project) } - let!(:conan_package2) { create(:conan_package, project: project) } + let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" } + let(:finder) { described_class.new(user, query: query) } + + subject { finder.execute } + + where(:visibility, :role, :packages_visible) do + :private | :maintainer | true + :private | :developer | true + :private | :reporter | true + :private | :guest | false + :private | :anonymous | false + + :internal | :maintainer | true + :internal | :developer | true + :internal | :reporter | true + :internal | :guest | true + :internal | :anonymous | false + + :public | :maintainer | true + :public | :developer | true + :public | :reporter | true + :public | :guest | true + :public | :anonymous | true + end - subject { described_class.new(user, query: query).execute } + with_them do + let(:expected_packages) { packages_visible ? [conan_package, conan_package2] : [] } + let(:user) { role == :anonymous ? nil : super() } - context 'packages that are not installable' do - let!(:conan_package3) { create(:conan_package, :error, project: project) } - let!(:non_visible_project) { create(:project, :private) } - let!(:non_visible_conan_package) { create(:conan_package, project: non_visible_project) } - let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" } + before do + project.update_column(:visibility_level, Gitlab::VisibilityLevel.string_options[visibility.to_s]) + project.add_user(user, role) unless role == :anonymous + end - it { is_expected.to eq [conan_package, conan_package2] } + it { is_expected.to eq(expected_packages) } end end end diff --git a/spec/requests/jira_routing_spec.rb b/spec/requests/jira_routing_spec.rb index a627eea33a8..e0e170044de 100644 --- a/spec/requests/jira_routing_spec.rb +++ b/spec/requests/jira_routing_spec.rb @@ -25,27 +25,49 @@ RSpec.describe 'Jira referenced paths', type: :request do expect(response).to redirect_to(redirect_path) end - context 'with encoded subgroup path' do - where(:jira_path, :redirect_path) do - '/group/group@sub_group@sub_group_project' | '/group/sub_group/sub_group_project' - '/group@sub_group/group@sub_group@sub_group_project' | '/group/sub_group/sub_group_project' - '/group/group@sub_group@sub_group_project/commit/1234567' | '/group/sub_group/sub_group_project/commit/1234567' - '/group/group@sub_group@sub_group_project/tree/1234567' | '/group/sub_group/sub_group_project/-/tree/1234567' + shared_examples 'redirects to jira path' do + it 'redirects to canonical path with legacy prefix' do + redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path end - with_them do - context 'with legacy prefix' do - it 'redirects to canonical path' do - redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path - end - end - - it 'redirects to canonical path' do - redirects_to_canonical_path jira_path, redirect_path - end + it 'redirects to canonical path' do + redirects_to_canonical_path jira_path, redirect_path end end + let(:jira_path) { '/group/group@sub_group@sub_group_project' } + let(:redirect_path) { '/group/sub_group/sub_group_project' } + + it_behaves_like 'redirects to jira path' + + context 'contains @ before the first /' do + let(:jira_path) { '/group@sub_group/group@sub_group@sub_group_project' } + let(:redirect_path) { '/group/sub_group/sub_group_project' } + + it_behaves_like 'redirects to jira path' + end + + context 'including commit path' do + let(:jira_path) { '/group/group@sub_group@sub_group_project/commit/1234567' } + let(:redirect_path) { '/group/sub_group/sub_group_project/commit/1234567' } + + it_behaves_like 'redirects to jira path' + end + + context 'including tree path' do + let(:jira_path) { '/group/group@sub_group@sub_group_project/tree/1234567' } + let(:redirect_path) { '/group/sub_group/sub_group_project/-/tree/1234567' } + + it_behaves_like 'redirects to jira path' + end + + context 'malicious path' do + let(:jira_path) { '/group/@@malicious.server' } + let(:redirect_path) { '/malicious.server' } + + it_behaves_like 'redirects to jira path' + end + context 'regular paths with legacy prefix' do where(:jira_path, :redirect_path) do '/-/jira/group/group_project' | '/group/group_project' diff --git a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb index 135fa4cf5a4..e6b0772aec1 100644 --- a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb @@ -19,33 +19,66 @@ RSpec.shared_examples 'conan ping endpoint' do end RSpec.shared_examples 'conan search endpoint' do - before do - project.update_column(:visibility_level, Gitlab::VisibilityLevel::PUBLIC) - - # Do not pass the HTTP_AUTHORIZATION header, - # in order to test that this public project's packages - # are visible to anonymous search. - get api(url), params: params - end + using RSpec::Parameterized::TableSyntax subject { json_response['results'] } - context 'returns packages with a matching name' do - let(:params) { { q: package.conan_recipe } } + context 'with a public project' do + before do + project.update!(visibility: 'public') + + # Do not pass the HTTP_AUTHORIZATION header, + # in order to test that this public project's packages + # are visible to anonymous search. + get api(url), params: params + end + + context 'returns packages with a matching name' do + let(:params) { { q: package.conan_recipe } } + + it { is_expected.to contain_exactly(package.conan_recipe) } + end + + context 'returns packages using a * wildcard' do + let(:params) { { q: "#{package.name[0, 3]}*" } } - it { is_expected.to contain_exactly(package.conan_recipe) } + it { is_expected.to contain_exactly(package.conan_recipe) } + end + + context 'does not return non-matching packages' do + let(:params) { { q: "foo" } } + + it { is_expected.to be_blank } + end end - context 'returns packages using a * wildcard' do + context 'with a private project' do let(:params) { { q: "#{package.name[0, 3]}*" } } - it { is_expected.to contain_exactly(package.conan_recipe) } - end + where(:role, :packages_visible) do + :maintainer | true + :developer | true + :reporter | true + :guest | false + :anonymous | false + end - context 'does not return non-matching packages' do - let(:params) { { q: "foo" } } + with_them do + before do + project.update!(visibility: 'private') + project.team.truncate + user.project_authorizations.delete_all + project.add_user(user, role) unless role == :anonymous + + get api(url), params: params, headers: headers + end - it { is_expected.to be_blank } + if params[:packages_visible] + it { is_expected.to contain_exactly(package.conan_recipe) } + else + it { is_expected.to be_blank } + end + end end end |