diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-29 12:58:52 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-29 12:59:18 +0000 |
commit | ca3adb2af6c380c90e10b599bfd99662a4108771 (patch) | |
tree | ec7af87398d0591220134fb77f80201d12818f15 | |
parent | e87fbda1d91e97a958bdf97d781dd754a867ea7b (diff) | |
download | gitlab-ce-ca3adb2af6c380c90e10b599bfd99662a4108771.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-1-stable-ee
-rw-r--r-- | app/assets/javascripts/users_select/index.js | 2 | ||||
-rw-r--r-- | app/controllers/admin/users_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/concerns/impersonation.rb | 13 | ||||
-rw-r--r-- | spec/controllers/admin/impersonations_controller_spec.rb | 8 | ||||
-rw-r--r-- | spec/controllers/admin/users_controller_spec.rb | 8 | ||||
-rw-r--r-- | spec/frontend/users_select/index_spec.js | 16 |
6 files changed, 47 insertions, 1 deletions
diff --git a/app/assets/javascripts/users_select/index.js b/app/assets/javascripts/users_select/index.js index 7c17ce85cc6..1f4c846b1cf 100644 --- a/app/assets/javascripts/users_select/index.js +++ b/app/assets/javascripts/users_select/index.js @@ -847,7 +847,7 @@ UsersSelect.prototype.renderApprovalRules = function (elsClassName, approvalRule const [rule] = approvalRules; const countText = sprintf(__('(+%{count} rules)'), { count }); const renderApprovalRulesCount = count > 1 ? `<span class="ml-1">${countText}</span>` : ''; - const ruleName = rule.rule_type === 'code_owner' ? __('Code Owner') : rule.name; + const ruleName = rule.rule_type === 'code_owner' ? __('Code Owner') : escape(rule.name); return `<div class="gl-display-flex gl-font-sm"> <span class="gl-text-truncate" title="${ruleName}">${ruleName}</span> diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index 677e61dc9f0..41ef79c6d39 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -48,6 +48,7 @@ class Admin::UsersController < Admin::ApplicationController session[:impersonator_id] = current_user.id warden.set_user(user, scope: :user) + clear_access_token_session_keys! log_impersonation_event diff --git a/app/controllers/concerns/impersonation.rb b/app/controllers/concerns/impersonation.rb index 0764fbc8eb3..539dd9ad69d 100644 --- a/app/controllers/concerns/impersonation.rb +++ b/app/controllers/concerns/impersonation.rb @@ -3,6 +3,12 @@ module Impersonation include Gitlab::Utils::StrongMemoize + SESSION_KEYS_TO_DELETE = %w( + github_access_token gitea_access_token gitlab_access_token + bitbucket_token bitbucket_refresh_token bitbucket_server_personal_access_token + bulk_import_gitlab_access_token fogbugz_token + ).freeze + def current_user user = super @@ -27,6 +33,7 @@ module Impersonation warden.set_user(impersonator, scope: :user) session[:impersonator_id] = nil + clear_access_token_session_keys! current_user end @@ -39,6 +46,12 @@ module Impersonation Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{current_user.username}") end + def clear_access_token_session_keys! + access_tokens_keys = session.keys & SESSION_KEYS_TO_DELETE + + access_tokens_keys.each { |key| session.delete(key) } + end + def impersonator strong_memoize(:impersonator) do User.find(session[:impersonator_id]) if session[:impersonator_id] diff --git a/spec/controllers/admin/impersonations_controller_spec.rb b/spec/controllers/admin/impersonations_controller_spec.rb index 744c0712d6b..ccf4454c349 100644 --- a/spec/controllers/admin/impersonations_controller_spec.rb +++ b/spec/controllers/admin/impersonations_controller_spec.rb @@ -92,6 +92,14 @@ RSpec.describe Admin::ImpersonationsController do expect(warden.user).to eq(impersonator) end + + it 'clears token session keys' do + session[:bitbucket_token] = SecureRandom.hex(8) + + delete :destroy + + expect(session[:bitbucket_token]).to be_nil + end end # base case diff --git a/spec/controllers/admin/users_controller_spec.rb b/spec/controllers/admin/users_controller_spec.rb index 4e8eb552210..bcb3e34624b 100644 --- a/spec/controllers/admin/users_controller_spec.rb +++ b/spec/controllers/admin/users_controller_spec.rb @@ -796,6 +796,14 @@ RSpec.describe Admin::UsersController do expect(flash[:alert]).to eq("You are now impersonating #{user.username}") end + + it 'clears token session keys' do + session[:github_access_token] = SecureRandom.hex(8) + + post :impersonate, params: { id: user.username } + + expect(session[:github_access_token]).to be_nil + end end context "when impersonation is disabled" do diff --git a/spec/frontend/users_select/index_spec.js b/spec/frontend/users_select/index_spec.js index 99caaf61c54..0d2aae78944 100644 --- a/spec/frontend/users_select/index_spec.js +++ b/spec/frontend/users_select/index_spec.js @@ -1,3 +1,5 @@ +import { escape } from 'lodash'; +import UsersSelect from '~/users_select/index'; import { createInputsModelExpectation, createUnassignedExpectation, @@ -91,5 +93,19 @@ describe('~/users_select/index', () => { expect(findDropdownItemsModel()).toEqual(expectation); }); }); + + describe('renderApprovalRules', () => { + const ruleNames = ['simple-name', '"\'<>&', '"><script>alert(1)<script>']; + + it.each(ruleNames)('escapes rule name correctly for %s', (name) => { + const escapedName = escape(name); + + expect( + UsersSelect.prototype.renderApprovalRules('reviewer', [{ name }]), + ).toMatchInterpolatedText( + `<div class="gl-display-flex gl-font-sm"> <span class="gl-text-truncate" title="${escapedName}">${escapedName}</span> </div>`, + ); + }); + }); }); }); |