diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-10 23:24:31 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-10 23:24:31 +0000 |
commit | 83380b5e7f6489d6429af539ebd2fd1bb973d90f (patch) | |
tree | 60df92052073f1619b2b3515b5aa3d928fc60f9c | |
parent | 21585f82e753689cc46f59c02d8e207756d794bf (diff) | |
download | gitlab-ce-83380b5e7f6489d6429af539ebd2fd1bb973d90f.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee
-rw-r--r-- | GITLAB_SHELL_VERSION | 2 | ||||
-rw-r--r-- | app/controllers/projects/pipelines_controller.rb | 1 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-limit-fscanl.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-respect-analytics-enabled-rule-for-project-level-analytics-featu.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-ssl-verification-ftc.yml | 5 | ||||
-rw-r--r-- | lib/gitlab/auth/otp/strategies/forti_token_cloud.rb | 3 | ||||
-rw-r--r-- | spec/factories/projects.rb | 7 | ||||
-rw-r--r-- | spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb | 21 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 72 | ||||
-rw-r--r-- | spec/requests/api/projects_spec.rb | 1 | ||||
-rwxr-xr-x[-rw-r--r--] | vendor/gitignore/C++.gitignore | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | vendor/gitignore/Java.gitignore | 0 |
13 files changed, 119 insertions, 8 deletions
diff --git a/GITLAB_SHELL_VERSION b/GITLAB_SHELL_VERSION index 04f6473099c..548118b6e78 100644 --- a/GITLAB_SHELL_VERSION +++ b/GITLAB_SHELL_VERSION @@ -1 +1 @@ -13.15.0 +13.15.1 diff --git a/app/controllers/projects/pipelines_controller.rb b/app/controllers/projects/pipelines_controller.rb index e44c00e501e..ae8b3d9b51d 100644 --- a/app/controllers/projects/pipelines_controller.rb +++ b/app/controllers/projects/pipelines_controller.rb @@ -9,6 +9,7 @@ class Projects::PipelinesController < Projects::ApplicationController before_action :set_pipeline_path, only: [:show] before_action :authorize_read_pipeline! before_action :authorize_read_build!, only: [:index] + before_action :authorize_read_analytics!, only: [:charts] before_action :authorize_create_pipeline!, only: [:new, :create, :config_variables] before_action :authorize_update_pipeline!, only: [:retry, :cancel] before_action do diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 03cb53f55be..6135523a2f8 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -218,6 +218,7 @@ class ProjectPolicy < BasePolicy enable :read_pages_content enable :read_release enable :read_analytics + enable :read_insights end # These abilities are not allowed to admins that are not members of the project, @@ -447,6 +448,9 @@ class ProjectPolicy < BasePolicy rule { analytics_disabled }.policy do prevent(:read_analytics) + prevent(:read_insights) + prevent(:read_cycle_analytics) + prevent(:read_repository_graphs) end rule { wiki_disabled }.policy do @@ -520,6 +524,7 @@ class ProjectPolicy < BasePolicy enable :read_cycle_analytics enable :read_pages_content enable :read_analytics + enable :read_insights # NOTE: may be overridden by IssuePolicy enable :read_issue diff --git a/changelogs/unreleased/security-limit-fscanl.yml b/changelogs/unreleased/security-limit-fscanl.yml new file mode 100644 index 00000000000..92a2000c1b6 --- /dev/null +++ b/changelogs/unreleased/security-limit-fscanl.yml @@ -0,0 +1,5 @@ +--- +title: Prevent Denial of Service Attack on gitlab-shell +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-respect-analytics-enabled-rule-for-project-level-analytics-featu.yml b/changelogs/unreleased/security-respect-analytics-enabled-rule-for-project-level-analytics-featu.yml new file mode 100644 index 00000000000..46373d314fd --- /dev/null +++ b/changelogs/unreleased/security-respect-analytics-enabled-rule-for-project-level-analytics-featu.yml @@ -0,0 +1,5 @@ +--- +title: Enforce the analytics enabled project setting for project-level analytics features +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-ssl-verification-ftc.yml b/changelogs/unreleased/security-ssl-verification-ftc.yml new file mode 100644 index 00000000000..b87d40124d0 --- /dev/null +++ b/changelogs/unreleased/security-ssl-verification-ftc.yml @@ -0,0 +1,5 @@ +--- +title: Perform SSL verification for FortiTokenCloud Integration +merge_request: +author: +type: security diff --git a/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb b/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb index d7506eca242..079d631e22a 100644 --- a/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb +++ b/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb @@ -61,8 +61,7 @@ module Gitlab headers: { 'Content-Type': 'application/json' }.merge(headers), - body: body, - verify: false # FTC API Docs specifically mentions to turn off SSL Verification while making requests. + body: body ) end end diff --git a/spec/factories/projects.rb b/spec/factories/projects.rb index f5e496080c4..54a5dea49bb 100644 --- a/spec/factories/projects.rb +++ b/spec/factories/projects.rb @@ -28,6 +28,7 @@ FactoryBot.define do forking_access_level { ProjectFeature::ENABLED } merge_requests_access_level { ProjectFeature::ENABLED } repository_access_level { ProjectFeature::ENABLED } + analytics_access_level { ProjectFeature::ENABLED } pages_access_level do visibility_level == Gitlab::VisibilityLevel::PUBLIC ? ProjectFeature::ENABLED : ProjectFeature::PRIVATE end @@ -63,7 +64,8 @@ FactoryBot.define do repository_access_level: evaluator.repository_access_level, pages_access_level: evaluator.pages_access_level, metrics_dashboard_access_level: evaluator.metrics_dashboard_access_level, - operations_access_level: evaluator.operations_access_level + operations_access_level: evaluator.operations_access_level, + analytics_access_level: evaluator.analytics_access_level } project.build_project_feature(hash) @@ -335,6 +337,9 @@ FactoryBot.define do trait(:operations_enabled) { operations_access_level { ProjectFeature::ENABLED } } trait(:operations_disabled) { operations_access_level { ProjectFeature::DISABLED } } trait(:operations_private) { operations_access_level { ProjectFeature::PRIVATE } } + trait(:analytics_enabled) { analytics_access_level { ProjectFeature::ENABLED } } + trait(:analytics_disabled) { analytics_access_level { ProjectFeature::DISABLED } } + trait(:analytics_private) { analytics_access_level { ProjectFeature::PRIVATE } } trait :auto_devops do association :auto_devops, factory: :project_auto_devops diff --git a/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb b/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb index 1580fc82279..368cf98dfec 100644 --- a/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb +++ b/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb @@ -13,6 +13,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do let(:otp_verification_url) { url + '/auth' } let(:access_token) { 'an_access_token' } let(:access_token_create_response_body) { '' } + let(:access_token_request_body) { { client_id: client_id, client_secret: client_secret } } + let(:headers) { { 'Content-Type': 'application/json' } } subject(:validate) { described_class.new(user).validate(otp_code) } @@ -27,11 +29,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do client_secret: client_secret ) - access_token_request_body = { client_id: client_id, - client_secret: client_secret } - stub_request(:post, access_token_create_url) - .with(body: JSON(access_token_request_body), headers: { 'Content-Type' => 'application/json' }) + .with(body: JSON(access_token_request_body), headers: headers) .to_return( status: access_token_create_response_status, body: Gitlab::Json.generate(access_token_create_response_body), @@ -81,6 +80,20 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do end end + context 'SSL Verification' do + let(:access_token_create_response_status) { 400 } + + context 'with `Gitlab::HTTP`' do + it 'does not use a `verify` argument,'\ + 'thereby always performing SSL verification while making API calls' do + expect(Gitlab::HTTP).to receive(:post) + .with(access_token_create_url, body: JSON(access_token_request_body), headers: headers).and_call_original + + validate + end + end + end + def stub_forti_token_cloud_config(forti_token_cloud_settings) allow(::Gitlab.config.forti_token_cloud).to(receive_messages(forti_token_cloud_settings)) end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index e6650549f7f..8bd4a463f87 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -992,6 +992,78 @@ RSpec.describe ProjectPolicy do it { is_expected.to be_allowed(:read_analytics) } end + context 'with various analytics features' do + let_it_be(:project_with_analytics_disabled) { create(:project, :analytics_disabled) } + let_it_be(:project_with_analytics_private) { create(:project, :analytics_private) } + let_it_be(:project_with_analytics_enabled) { create(:project, :analytics_enabled) } + + before do + project_with_analytics_disabled.add_developer(developer) + project_with_analytics_private.add_developer(developer) + project_with_analytics_enabled.add_developer(developer) + end + + context 'when analytics is enabled for the project' do + let(:project) { project_with_analytics_disabled } + + context 'for guest user' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:read_cycle_analytics) } + it { is_expected.to be_disallowed(:read_insights) } + it { is_expected.to be_disallowed(:read_repository_graphs) } + end + + context 'for developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:read_cycle_analytics) } + it { is_expected.to be_disallowed(:read_insights) } + it { is_expected.to be_disallowed(:read_repository_graphs) } + end + end + + context 'when analytics is private for the project' do + let(:project) { project_with_analytics_private } + + context 'for guest user' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:read_cycle_analytics) } + it { is_expected.to be_disallowed(:read_insights) } + it { is_expected.to be_disallowed(:read_repository_graphs) } + end + + context 'for developer' do + let(:current_user) { developer } + + it { is_expected.to be_allowed(:read_cycle_analytics) } + it { is_expected.to be_allowed(:read_insights) } + it { is_expected.to be_allowed(:read_repository_graphs) } + end + end + + context 'when analytics is enabled for the project' do + let(:project) { project_with_analytics_private } + + context 'for guest user' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:read_cycle_analytics) } + it { is_expected.to be_disallowed(:read_insights) } + it { is_expected.to be_disallowed(:read_repository_graphs) } + end + + context 'for developer' do + let(:current_user) { developer } + + it { is_expected.to be_allowed(:read_cycle_analytics) } + it { is_expected.to be_allowed(:read_insights) } + it { is_expected.to be_allowed(:read_repository_graphs) } + end + end + end + context 'project member' do let(:project) { private_project } diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index e3eb3649a1a..8a4a7880ab4 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -886,6 +886,7 @@ RSpec.describe API::Projects do merge_method: 'ff' }).tap do |attrs| attrs[:operations_access_level] = 'disabled' + attrs[:analytics_access_level] = 'disabled' end post api('/projects', user), params: project diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore index 259148fa18f..259148fa18f 100644..100755 --- a/vendor/gitignore/C++.gitignore +++ b/vendor/gitignore/C++.gitignore diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore index a1c2a238a96..a1c2a238a96 100644..100755 --- a/vendor/gitignore/Java.gitignore +++ b/vendor/gitignore/Java.gitignore |