Add latest changes from gitlab-org/security/gitlab@12-9-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-04-27 14:34:32 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-04-27 14:34:32 +0000
commit: 3625b2d802d094d92498a00b8206fba46948b348 (patch)
tree: cc46e7f9304dd45e9a8996243c876c191a0c6e03
parent: 9d231b25b490c773c8a641f35b8308e1fbd525ac (diff)
download: gitlab-ce-3625b2d802d094d92498a00b8206fba46948b348.tar.gz
11 files changed, 44 insertions, 7 deletions
diff --git a/CHANGELOG-EE.md b/CHANGELOG-EE.md
index 6d1fb38d45d..80b075c9129 100644
--- a/CHANGELOG-EE.md
+++ b/CHANGELOG-EE.md
@@ -2,6 +2,8 @@ Please view this file on the master branch, on stable branches it's out of date.
 
 ## 12.9.4 (2020-04-16)
 
+- No changes.
+- No changes.
 ### Fixed (2 changes)
 
 - Update index_options to fix advanced search queries. !28712
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ab3acd003dd..ef15236375c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ entry.
 ## 12.9.4 (2020-04-16)
 
 - No changes.
+- No changes.
 ### Fixed (5 changes, 1 of them is from the community)
 
 - Fix not working File upload from Project overview page. !26828 (Gilang Gumilar)
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index cf9f3b9e924..8c362645354 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -622,6 +622,7 @@ module ProjectsHelper
 
   def find_file_path
     return unless @project && !@project.empty_repo?
+    return unless can?(current_user, :download_code, @project)
 
     ref = @ref || @project.repository.root_ref
 
diff --git a/app/serializers/remote_mirror_entity.rb b/app/serializers/remote_mirror_entity.rb
index 8835c6d4647..440e4274668 100644
--- a/app/serializers/remote_mirror_entity.rb
+++ b/app/serializers/remote_mirror_entity.rb
@@ -2,7 +2,7 @@
 
 class RemoteMirrorEntity < Grape::Entity
   expose :id
-  expose :url
+  expose :safe_url, as: :url
   expose :enabled
 
   expose :auth_method
diff --git a/changelogs/unreleased/bug-codeowner-diffs.yml b/changelogs/unreleased/bug-codeowner-diffs.yml
new file mode 100644
index 00000000000..996628240ab
--- /dev/null
+++ b/changelogs/unreleased/bug-codeowner-diffs.yml
@@ -0,0 +1,5 @@
+---
+title: Ensure MR diff exists before codeowner check
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-branch-permissions.yml b/changelogs/unreleased/security-branch-permissions.yml
new file mode 100644
index 00000000000..6b8abe3eda6
--- /dev/null
+++ b/changelogs/unreleased/security-branch-permissions.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent unauthorized access to default branch
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-mirror-urls.yml b/changelogs/unreleased/security-mirror-urls.yml
new file mode 100644
index 00000000000..774fe7758f7
--- /dev/null
+++ b/changelogs/unreleased/security-mirror-urls.yml
@@ -0,0 +1,5 @@
+---
+title: Return only safe urls for mirrors
+merge_request:
+author:
+type: security
diff --git a/spec/helpers/application_helper_spec.rb b/spec/helpers/application_helper_spec.rb
index a67475e47a3..a96046735c8 100644
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@@ -277,11 +277,16 @@ describe ApplicationHelper do
     end
 
     context 'when @project is set' do
-      it 'includes all possible body data elements and associates the project elements with project' do
-        project = create(:project)
+      let_it_be(:project) { create(:project, :repository) }
+      let_it_be(:user) { create(:user) }
 
+      before do
         assign(:project, project)
+        allow(helper).to receive(:current_user).and_return(nil)
+      end
 
+      it 'includes all possible body data elements and associates the project elements with project' do
+        expect(helper).to receive(:can?).with(nil, :download_code, project)
         expect(helper.body_data).to eq(
           {
             page: 'application',
@@ -302,12 +307,11 @@ describe ApplicationHelper do
 
         context 'when params[:id] is present and the issue exsits and action_name is show' do
           it 'sets all project and id elements correctly related to the issue' do
-            issue = create(:issue)
+            issue = create(:issue, project: project)
             stub_controller_method(:action_name, 'show')
             stub_controller_method(:params, { id: issue.id })
 
-            assign(:project, issue.project)
-
+            expect(helper).to receive(:can?).with(nil, :download_code, project).and_return(false)
             expect(helper.body_data).to eq(
               {
                 page: 'projects:issues:show',
@@ -322,6 +326,15 @@ describe ApplicationHelper do
           end
         end
       end
+
+      context 'when current_user has download_code permission' do
+        it 'returns find_file with the default branch' do
+          allow(helper).to receive(:current_user).and_return(user)
+
+          expect(helper).to receive(:can?).with(user, :download_code, project).and_return(true)
+          expect(helper.body_data[:find_file]).to end_with(project.default_branch)
+        end
+      end
     end
 
     def stub_controller_method(method_name, value)
diff --git a/spec/serializers/remote_mirror_entity_spec.rb b/spec/serializers/remote_mirror_entity_spec.rb
index 5f4aac213be..27472c46436 100644
--- a/spec/serializers/remote_mirror_entity_spec.rb
+++ b/spec/serializers/remote_mirror_entity_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'
 
 describe RemoteMirrorEntity do
-  let(:project) { create(:project, :repository, :remote_mirror) }
+  let(:project) { create(:project, :repository, :remote_mirror, url: "https://test:password@gitlab.com") }
   let(:remote_mirror) { project.remote_mirrors.first }
   let(:entity) { described_class.new(remote_mirror) }
 
@@ -15,4 +15,9 @@ describe RemoteMirrorEntity do
       :ssh_known_hosts, :ssh_public_key, :ssh_known_hosts_fingerprints
     )
   end
+
+  it 'does not expose password information' do
+    expect(subject[:url]).not_to include('password')
+    expect(subject[:url]).to eq(remote_mirror.safe_url)
+  end
 end
diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore
index 259148fa18f..259148fa18f 100755..100644
--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore
index a1c2a238a96..a1c2a238a96 100755..100644
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-04-27 14:34:32 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-04-27 14:34:32 +0000
commit	3625b2d802d094d92498a00b8206fba46948b348 (patch)
tree	cc46e7f9304dd45e9a8996243c876c191a0c6e03
parent	9d231b25b490c773c8a641f35b8308e1fbd525ac (diff)
download	gitlab-ce-3625b2d802d094d92498a00b8206fba46948b348.tar.gz