Add latest changes from gitlab-org/security/gitlab@15-0-stable-ee

5 files changed, 76 insertions, 8 deletions

diff --git a/app/models/integrations/jira.rb b/app/models/integrations/jira.rb
index 992bd01bf5f..f91e8f904af 100644
--- a/app/models/integrations/jira.rb
+++ b/app/models/integrations/jira.rb
@@ -219,7 +219,9 @@ module Integrations
       # support any events.
     end
 
-    def find_issue(issue_key, rendered_fields: false, transitions: false)
+    def find_issue(issue_key, rendered_fields: false, transitions: false, restrict_project_key: false)
+      return if restrict_project_key && parse_project_from_issue_key(issue_key) != project_key
+
       expands = []
       expands << 'renderedFields' if rendered_fields
       expands << 'transitions' if transitions
@@ -317,6 +319,10 @@ module Integrations
 
     private
 
+    def parse_project_from_issue_key(issue_key)
+      issue_key.gsub(Gitlab::Regex.jira_issue_key_project_key_extraction_regex, '')
+    end
+
     def branch_name(commit)
       commit.first_ref_by_oid(project.repository)
     end
diff --git a/app/services/grafana/proxy_service.rb b/app/services/grafana/proxy_service.rb
index ac4c3cc091c..37272c85638 100644
--- a/app/services/grafana/proxy_service.rb
+++ b/app/services/grafana/proxy_service.rb
@@ -15,6 +15,10 @@ module Grafana
     self.reactive_cache_work_type = :external_dependency
     self.reactive_cache_worker_finder = ->(_id, *args) { from_cache(*args) }
 
+    SUPPORTED_DATASOURCE_PATTERN = %r{\A\d+\z}.freeze
+
+    SUPPORTED_PROXY_PATH = Gitlab::Metrics::Dashboard::Stages::GrafanaFormatter::PROXY_PATH
+
     attr_accessor :project, :datasource_id, :proxy_path, :query_params
 
     # @param project_id [Integer] Project id for which grafana is configured.
@@ -38,6 +42,7 @@ module Grafana
     end
 
     def execute
+      return cannot_proxy_response unless can_proxy?
       return cannot_proxy_response unless client
 
       with_reactive_cache(*cache_key) { |result| result }
@@ -69,6 +74,11 @@ module Grafana
 
     private
 
+    def can_proxy?
+      SUPPORTED_PROXY_PATH == proxy_path &&
+        SUPPORTED_DATASOURCE_PATTERN.match?(datasource_id)
+    end
+
     def client
       project.grafana_integration&.client
     end
diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb
index 205106afddb..4b9513f7bd4 100644
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -418,6 +418,10 @@ module Gitlab
       @jira_issue_key_regex ||= /[A-Z][A-Z_0-9]+-\d+/
     end
 
+    def jira_issue_key_project_key_extraction_regex
+      @jira_issue_key_project_key_extraction_regex ||= /-\d+/
+    end
+
     def jira_transition_id_regex
       @jira_transition_id_regex ||= /\d+/
     end
diff --git a/spec/models/integrations/jira_spec.rb b/spec/models/integrations/jira_spec.rb
index 061c770a61a..84abcf69fc1 100644
--- a/spec/models/integrations/jira_spec.rb
+++ b/spec/models/integrations/jira_spec.rb
@@ -12,6 +12,7 @@ RSpec.describe Integrations::Jira do
   let(:api_url) { 'http://api-jira.example.com' }
   let(:username) { 'jira-username' }
   let(:password) { 'jira-password' }
+  let(:project_key) { nil }
   let(:transition_id) { 'test27' }
   let(:server_info_results) { { 'deploymentType' => 'Cloud' } }
   let(:jira_integration) do
@@ -19,7 +20,8 @@ RSpec.describe Integrations::Jira do
       project: project,
       url: url,
       username: username,
-      password: password
+      password: password,
+      project_key: project_key
     )
   end
 
@@ -478,6 +480,22 @@ RSpec.describe Integrations::Jira do
         expect(WebMock).to have_requested(:get, issue_url)
       end
     end
+
+    context 'with restricted restrict_project_key option' do
+      subject(:find_issue) { jira_integration.find_issue(issue_key, restrict_project_key: true) }
+
+      it { is_expected.to eq(nil) }
+
+      context 'and project_key matches' do
+        let(:project_key) { 'JIRA' }
+
+        it 'calls the Jira API to get the issue' do
+          find_issue
+
+          expect(WebMock).to have_requested(:get, issue_url)
+        end
+      end
+    end
   end
 
   describe '#close_issue' do
diff --git a/spec/services/grafana/proxy_service_spec.rb b/spec/services/grafana/proxy_service_spec.rb
index 7ddc31d45d9..99120de3593 100644
--- a/spec/services/grafana/proxy_service_spec.rb
+++ b/spec/services/grafana/proxy_service_spec.rb
@@ -50,12 +50,8 @@ RSpec.describe Grafana::ProxyService do
   describe '#execute' do
     subject(:result) { service.execute }
 
-    context 'when grafana integration is not configured' do
-      before do
-        allow(project).to receive(:grafana_integration).and_return(nil)
-      end
-
-      it 'returns error' do
+    shared_examples 'missing proxy support' do
+      it 'returns API not supported error' do
         expect(result).to eq(
           status: :error,
           message: 'Proxy support for this API is not available currently'
@@ -63,6 +59,40 @@ RSpec.describe Grafana::ProxyService do
       end
     end
 
+    context 'with unsupported proxy path' do
+      where(:proxy_path) do
+        %w[
+          /api/vl/query_range
+          api/vl/query_range/
+          api/vl/labels
+          api/v2/query_range
+          ../../../org/users
+        ]
+      end
+
+      with_them do
+        include_examples 'missing proxy support'
+      end
+    end
+
+    context 'with unsupported datasource_id' do
+      where(:datasource_id) do
+        ['', '-1', '1str', 'str1', '../../1', '1/../..', "1\n1"]
+      end
+
+      with_them do
+        include_examples 'missing proxy support'
+      end
+    end
+
+    context 'when grafana integration is not configured' do
+      before do
+        allow(project).to receive(:grafana_integration).and_return(nil)
+      end
+
+      include_examples 'missing proxy support'
+    end
+
     context 'with caching', :use_clean_rails_memory_store_caching do
       context 'when value not present in cache' do
         it 'returns nil' do