diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-05-31 03:08:19 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-05-31 03:08:19 +0000 |
commit | 226c5810c9f0171ba0daceb1cd3d72b43860647a (patch) | |
tree | c791cdd58ba0adcdd9b8f75a3c8c10a2c87bb0db | |
parent | 68e6b85dfa8944ed0dd0717fb0e1e572a8b63fdc (diff) | |
download | gitlab-ce-226c5810c9f0171ba0daceb1cd3d72b43860647a.tar.gz |
Add latest changes from gitlab-org/gitlab@master
19 files changed, 145 insertions, 14 deletions
diff --git a/app/assets/javascripts/feature_flags/components/feature_flags.vue b/app/assets/javascripts/feature_flags/components/feature_flags.vue index 53909dcf42e..c86a9fce050 100644 --- a/app/assets/javascripts/feature_flags/components/feature_flags.vue +++ b/app/assets/javascripts/feature_flags/components/feature_flags.vue @@ -161,7 +161,7 @@ export default { <gl-button v-if="canUserConfigure" v-gl-modal="'configure-feature-flags'" - variant="info" + variant="confirm" category="secondary" data-qa-selector="configure_feature_flags_button" data-testid="ff-configure-button" @@ -197,7 +197,7 @@ export default { :href="userListPath" variant="confirm" category="tertiary" - class="gl-mb-0 gl-mr-4" + class="gl-mb-0 gl-mr-3" data-testid="ff-user-list-button" > {{ s__('FeatureFlags|View user lists') }} @@ -205,11 +205,11 @@ export default { <gl-button v-if="canUserConfigure" v-gl-modal="'configure-feature-flags'" - variant="info" + variant="confirm" category="secondary" data-qa-selector="configure_feature_flags_button" data-testid="ff-configure-button" - class="gl-mb-0 gl-mr-4" + class="gl-mb-0 gl-mr-3" > {{ s__('FeatureFlags|Configure') }} </gl-button> diff --git a/db/migrate/20220530103023_add_created_at_and_id_index_to_deployment_approvals.rb b/db/migrate/20220530103023_add_created_at_and_id_index_to_deployment_approvals.rb new file mode 100644 index 00000000000..88117b310c9 --- /dev/null +++ b/db/migrate/20220530103023_add_created_at_and_id_index_to_deployment_approvals.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +class AddCreatedAtAndIdIndexToDeploymentApprovals < Gitlab::Database::Migration[2.0] + disable_ddl_transaction! + + INDEX_NAME = 'index_deployment_approvals_on_created_at_and_id' + + def up + add_concurrent_index :deployment_approvals, %i[created_at id], name: INDEX_NAME + end + + def down + remove_concurrent_index :deployment_approvals, %i[created_at id], name: INDEX_NAME + end +end diff --git a/db/post_migrate/20220530074027_add_project_id_index_to_job_artifacts.rb b/db/post_migrate/20220530074027_add_project_id_index_to_job_artifacts.rb new file mode 100644 index 00000000000..fb75f368835 --- /dev/null +++ b/db/post_migrate/20220530074027_add_project_id_index_to_job_artifacts.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +class AddProjectIdIndexToJobArtifacts < Gitlab::Database::Migration[2.0] + INDEX_NAME = 'index_ci_job_artifacts_on_project_id_and_id' + + disable_ddl_transaction! + + def up + add_concurrent_index :ci_job_artifacts, [:project_id, :id], name: INDEX_NAME + end + + def down + remove_concurrent_index_by_name :ci_job_artifacts, INDEX_NAME + end +end diff --git a/db/schema_migrations/20220530074027 b/db/schema_migrations/20220530074027 new file mode 100644 index 00000000000..418f778a8c3 --- /dev/null +++ b/db/schema_migrations/20220530074027 @@ -0,0 +1 @@ +3cef4a4f50ebe3d8e23e9c014a57e4c98f8fd27a9f071725a882c5a1a4d228cc
\ No newline at end of file diff --git a/db/schema_migrations/20220530103023 b/db/schema_migrations/20220530103023 new file mode 100644 index 00000000000..f4a0d805208 --- /dev/null +++ b/db/schema_migrations/20220530103023 @@ -0,0 +1 @@ +8ad5a7cb60abd381850569ddf5ab274d66cf1960d11073825a283f902171b343
\ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 335798e8e91..d610885ba57 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -27327,6 +27327,8 @@ CREATE UNIQUE INDEX index_ci_job_artifacts_on_job_id_and_file_type ON ci_job_art CREATE INDEX index_ci_job_artifacts_on_project_id ON ci_job_artifacts USING btree (project_id); +CREATE INDEX index_ci_job_artifacts_on_project_id_and_id ON ci_job_artifacts USING btree (project_id, id); + CREATE INDEX index_ci_job_artifacts_on_project_id_for_security_reports ON ci_job_artifacts USING btree (project_id) WHERE (file_type = ANY (ARRAY[5, 6, 7, 8])); CREATE INDEX index_ci_job_token_project_scope_links_on_added_by_id ON ci_job_token_project_scope_links USING btree (added_by_id); @@ -27719,6 +27721,8 @@ CREATE UNIQUE INDEX index_deploy_tokens_on_token_encrypted ON deploy_tokens USIN CREATE INDEX index_deployment_approvals_on_approval_rule_id ON deployment_approvals USING btree (approval_rule_id); +CREATE INDEX index_deployment_approvals_on_created_at_and_id ON deployment_approvals USING btree (created_at, id); + CREATE UNIQUE INDEX index_deployment_approvals_on_deployment_id_and_user_id ON deployment_approvals USING btree (deployment_id, user_id); CREATE INDEX index_deployment_approvals_on_user_id ON deployment_approvals USING btree (user_id); diff --git a/doc/administration/instance_limits.md b/doc/administration/instance_limits.md index 1ebc9d3e31a..4eb2b708fbf 100644 --- a/doc/administration/instance_limits.md +++ b/doc/administration/instance_limits.md @@ -164,6 +164,14 @@ This setting limits global search requests. | Authenticated user | 30 | | Unauthenticated user | 10 | +### Pipeline creation rate limit + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/362475) in GitLab 15.0. + +This setting limits the request rate to the pipeline creation endpoints. + +Read more about [pipeline creation rate limits](../user/admin_area/settings/rate_limit_on_pipelines_creation.md). + ## Gitaly concurrency limit Clone traffic can put a large strain on your Gitaly service. To prevent such workloads from overwhelming your Gitaly server, you can set concurrency limits in Gitaly's configuration file. diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md index 26aada71230..695a0d52af6 100644 --- a/doc/security/rate_limits.md +++ b/doc/security/rate_limits.md @@ -32,8 +32,8 @@ similarly mitigated by a rate limit. You can set these rate limits in the Admin Area of your instance: - [Import/Export rate limits](../user/admin_area/settings/import_export_rate_limits.md) -- [Issues rate limits](../user/admin_area/settings/rate_limit_on_issues_creation.md) -- [Notes rate limits](../user/admin_area/settings/rate_limit_on_notes_creation.md) +- [Issue rate limits](../user/admin_area/settings/rate_limit_on_issues_creation.md) +- [Note rate limits](../user/admin_area/settings/rate_limit_on_notes_creation.md) - [Protected paths](../user/admin_area/settings/protected_paths.md) - [Raw endpoints rate limits](../user/admin_area/settings/rate_limits_on_raw_endpoints.md) - [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md) @@ -42,6 +42,7 @@ You can set these rate limits in the Admin Area of your instance: - [Files API rate limits](../user/admin_area/settings/files_api_rate_limits.md) - [Deprecated API rate limits](../user/admin_area/settings/deprecated_api_rate_limits.md) - [GitLab Pages rate limits](../administration/pages/index.md#rate-limits) +- [Pipeline rate limits](../user/admin_area/settings/rate_limit_on_pipelines_creation.md) You can set these rate limits using the Rails console: diff --git a/doc/user/application_security/dast/checks/1004.1.md b/doc/user/application_security/dast/checks/1004.1.md index 9626973eb36..72af1156b95 100644 --- a/doc/user/application_security/dast/checks/1004.1.md +++ b/doc/user/application_security/dast/checks/1004.1.md @@ -10,7 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w The {cookie_name} cookie was transmitted in a `Set-Cookie` header without the `HttpOnly` attribute set. To prevent JavaScript being able to access the cookie value - usually via `document.cookies` - all -cookies that are used for authorization or contain sensitive information should have the `HttpOnly` attribute +cookies that are used for authorization should have the `HttpOnly` attribute set. ## Remediation diff --git a/doc/user/application_security/dast/checks/16.3.md b/doc/user/application_security/dast/checks/16.3.md index 6f80a2a32c6..e4fc2468dae 100644 --- a/doc/user/application_security/dast/checks/16.3.md +++ b/doc/user/application_security/dast/checks/16.3.md @@ -32,4 +32,4 @@ information from the `X-Powered-By` header. ## Links - [CWE](https://cwe.mitre.org/data/definitions/16.html) -- [PHP `expose_php`](https://www.php.net/manual/en/ini.core.php#ini.expose-php) +- [PHP expose_php](https://www.php.net/manual/en/ini.core.php#ini.expose-php) diff --git a/doc/user/application_security/dast/checks/16.5.md b/doc/user/application_security/dast/checks/16.5.md index e03da3043ef..28bb9f7ee4b 100644 --- a/doc/user/application_security/dast/checks/16.5.md +++ b/doc/user/application_security/dast/checks/16.5.md @@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ## Description -The target website returns AspNet headers and version information of this website. By +The target website returns AspNet header(s) and version information of this website. By exposing these values attackers may attempt to identify if the target software is vulnerable to known vulnerabilities, or catalog known sites running particular versions to exploit in the future when a vulnerability is identified in the particular version. diff --git a/doc/user/application_security/dast/checks/16.6.md b/doc/user/application_security/dast/checks/16.6.md index 9cbcde669a0..ddd3a10c5f8 100644 --- a/doc/user/application_security/dast/checks/16.6.md +++ b/doc/user/application_security/dast/checks/16.6.md @@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ## Description -The target website returns AspNet headers along with version information of this website. By +The target website returns AspNet header(s) along with version information of this website. By exposing these values attackers may attempt to identify if the target software is vulnerable to known vulnerabilities. Or catalog known sites running particular versions to exploit in the future when a vulnerability is identified in the particular version. diff --git a/doc/user/application_security/dast/checks/16.7.md b/doc/user/application_security/dast/checks/16.7.md new file mode 100644 index 00000000000..a02fb3a451f --- /dev/null +++ b/doc/user/application_security/dast/checks/16.7.md @@ -0,0 +1,42 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Strict-Transport-Security header missing or invalid + +## Description + +The `Strict-Transport-Security` header was found to be missing or invalid. The `Strict-Transport-Security` +header allows web site operators to force communications to occur over a TLS connection. By enabling this +header, websites can protect their users from various forms of network eavesdropping or interception attacks. +While most browsers prevent mixed-content (loading resources from HTTP when navigating from an HTTPS site), +this header also ensures that all resource requests are only ever initiated over a secure transport. + +## Remediation + +Only three directives are applicable for the `Strict-Transport-Security` header. + +1. `max-age`: This required directive specifies how long (in seconds) after receiving the response it should communicate only over a secure transport. +1. `includeSubDomains`: This optional, valueless directive signals that the policy applies to this host as well as any subdomains found under this host's domain. +1. `preload`: While not part of the specification, setting this optional value allows major browser organizations to add this site into the browser's preloaded set of HTTPS sites. This requires further action on behalf of the website operator to submit their domain to the browser's HSTS preload list. See [hstspreload.org](https://hstspreload.org/) for more information. + +Note that invalid directives, or the `Strict-Transport-Security` header appearing more than once (if the values are +different) is considered invalid. + +Prior to adding to this security configuration to your website, it is recommended you review the hstspreload.org [Deployment +Recommendations](https://hstspreload.org/#deployment-recommendations). + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 16.7 | true | 16 | Passive | Low | + +## Links + +- [CWE](https://cwe.mitre.org/data/definitions/16.html) +- [Deployment Recommendations](https://hstspreload.org/#deployment-recommendations) +- [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html) +- [RFC](https://datatracker.ietf.org/doc/html/rfc6797) diff --git a/doc/user/application_security/dast/checks/200.1.md b/doc/user/application_security/dast/checks/200.1.md index 9795ad11b0b..fcd329c3f2b 100644 --- a/doc/user/application_security/dast/checks/200.1.md +++ b/doc/user/application_security/dast/checks/200.1.md @@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ## Description -A private RFC 1918 was identified in the target application. Public facing websites should not be issuing +A private RFC 1918/RFC 4193 address was identified in the target application. Public facing websites should not be issuing requests to private IP Addresses. Attackers attempting to execute subsequent attacks, such as Server-Side Request Forgery (SSRF), may be able to use this information to identify additional internal targets. @@ -27,3 +27,4 @@ facing version, or remove the reference from the target application. - [CWE](https://cwe.mitre.org/data/definitions/200.html) - [RFC](https://datatracker.ietf.org/doc/html/rfc1918) +- [RFC](https://datatracker.ietf.org/doc/html/rfc4193) diff --git a/doc/user/application_security/dast/checks/352.1.md b/doc/user/application_security/dast/checks/352.1.md new file mode 100644 index 00000000000..4daba908331 --- /dev/null +++ b/doc/user/application_security/dast/checks/352.1.md @@ -0,0 +1,41 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Absence of anti-CSRF tokens + +## Description + +The application failed to protect against Cross-Site Request Forgery (CSRF) by using +secure application tokens or `SameSite` cookie directives. + +The vulnerability can be exploited by an attacker creating a link or form on a third +party site and tricking an authenticated victim to access them. + +## Remediation + +Consider setting all session cookies to have the `SameSite=Strict` attribute. However, +it should be noted that this may impact usability when sharing links across other mediums. +It is recommended that a two cookie based approach is taken, as outlined in the +[Top level navigations](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-08#section-8.8.2) section +of the RFC. + +If the application is using a common framework, there is a chance that Anti-CSRF protection +is built in but needs to be enabled. Consult your application framework documentation for +details. + +If neither of the above are applicable, it is **strongly** recommended that a third party library is used. +Implementing a secure Anti-CSRF system is a significant investment and difficult to do correctly. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 352.1 | true | 352 | Passive | Medium | + +## Links + +- [OWASP](https://owasp.org/www-community/attacks/csrf) +- [CWE](https://cwe.mitre.org/data/definitions/352.html) diff --git a/doc/user/application_security/dast/checks/548.1.md b/doc/user/application_security/dast/checks/548.1.md index d6371c5491d..1da2ce58247 100644 --- a/doc/user/application_security/dast/checks/548.1.md +++ b/doc/user/application_security/dast/checks/548.1.md @@ -39,7 +39,7 @@ indexing. ## Links -- [CWE](https://cwe.mitre.org/data/definitions/598.html) +- [CWE](https://cwe.mitre.org/data/definitions/548.html) - [Apache Options](https://httpd.apache.org/docs/2.4/mod/core.html#options) - [NGINX autoindex](https://nginx.org/en/docs/http/ngx_http_autoindex_module.html) - [IIS directoryBrowse element](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse) diff --git a/doc/user/application_security/dast/checks/598.2.md b/doc/user/application_security/dast/checks/598.2.md index f6c6787128d..05d04b71cf0 100644 --- a/doc/user/application_security/dast/checks/598.2.md +++ b/doc/user/application_security/dast/checks/598.2.md @@ -16,7 +16,7 @@ be able to gain access to the target account. ## Remediation Passwords should never be sent in GET requests. When authenticating users or requesting users -reset their passwords, always use POST requests to transmit sensitive data. +reset their passwords, always use `POST` requests to transmit sensitive data. ## Details diff --git a/doc/user/application_security/dast/checks/598.3.md b/doc/user/application_security/dast/checks/598.3.md index fa6fdf43e1c..be17fdcaef6 100644 --- a/doc/user/application_security/dast/checks/598.3.md +++ b/doc/user/application_security/dast/checks/598.3.md @@ -17,7 +17,7 @@ target account. ## Remediation Authorization header details should never be sent in GET requests. When transmitting sensitive information -such as JWT tokens, always use POST requests or headers to transmit the sensitive data. +such as JWT tokens, always use `POST` requests or headers to transmit the sensitive data. ## Details diff --git a/doc/user/application_security/dast/checks/index.md b/doc/user/application_security/dast/checks/index.md index 629ff1c3a8d..a710bffdcfe 100644 --- a/doc/user/application_security/dast/checks/index.md +++ b/doc/user/application_security/dast/checks/index.md @@ -17,7 +17,9 @@ The [DAST browser-based crawler](../browser_based.md) provides a number of vulne | [16.4](16.4.md) | X-Backend-Server header exposes server information | Info | Passive | | [16.5](16.5.md) | AspNet header exposes version information | Low | Passive | | [16.6](16.6.md) | AspNetMvc header exposes version information | Low | Passive | +| [16.7](16.7.md) | Strict-Transport-Security header missing or invalid | Low | Passive | | [200.1](200.1.md) | Exposure of sensitive information to an unauthorized actor (private IP address) | Low | Passive | +| [352.1](352.1.md) | Absence of anti-CSRF tokens | Medium | Passive | | [359.1](359.1.md) | Exposure of Private Personal Information (PII) to an unauthorized actor (credit card) | Medium | Passive | | [359.2](359.2.md) | Exposure of Private Personal Information (PII) to an unauthorized actor (United States social security number) | Medium | Passive | | [548.1](548.1.md) | Exposure of information through directory listing | Low | Passive | |