Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-28 22:05:40 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-28 22:05:44 +0000
commit: f5897da89ca63facbef54c23cff894f2bbe8e644 (patch)
tree: 9671f60e71b3cb78705a211977870fb1c5a4b354 /app/models
parent: 10d9a3bf50cca85dd857c5306a34d7a6032580e6 (diff)
download: gitlab-ce-f5897da89ca63facbef54c23cff894f2bbe8e644.tar.gz
7 files changed, 41 insertions, 9 deletions
diff --git a/app/models/concerns/integrations/has_web_hook.rb b/app/models/concerns/integrations/has_web_hook.rb
index e6ca6cc7938..5fd71f3d72f 100644
--- a/app/models/concerns/integrations/has_web_hook.rb
+++ b/app/models/concerns/integrations/has_web_hook.rb
@@ -14,6 +14,11 @@ module Integrations
       raise NotImplementedError
     end
 
+    # Return the url variables to be used for the webhook.
+    def url_variables
+      raise NotImplementedError
+    end
+
     # Return whether the webhook should use SSL verification.
     def hook_ssl_verification
       if respond_to?(:enable_ssl_verification)
@@ -26,7 +31,11 @@ module Integrations
     # Create or update the webhook, raising an exception if it cannot be saved.
     def update_web_hook!
       hook = service_hook || build_service_hook
-      hook.url = hook_url if hook.url != hook_url # avoid reencryption
+
+      # Avoid reencryption
+      hook.url = hook_url if hook.url != hook_url
+      hook.url_variables = url_variables if hook.url_variables != url_variables
+
       hook.enable_ssl_verification = hook_ssl_verification
       hook.save! if hook.changed?
       hook
diff --git a/app/models/concerns/safe_url.rb b/app/models/concerns/safe_url.rb
index 7dce05bddba..d6378e6ac6f 100644
--- a/app/models/concerns/safe_url.rb
+++ b/app/models/concerns/safe_url.rb
@@ -3,13 +3,16 @@
 module SafeUrl
   extend ActiveSupport::Concern
 
+  # Return the URL with obfuscated userinfo
+  # and keeping it intact
   def safe_url(allowed_usernames: [])
     return if url.nil?
 
-    uri = URI.parse(url)
+    escaped = Addressable::URI.escape(url)
+    uri = URI.parse(escaped)
     uri.password = '*****' if uri.password
     uri.user = '*****' if uri.user && allowed_usernames.exclude?(uri.user)
-    uri.to_s
-  rescue URI::Error
+    Addressable::URI.unescape(uri.to_s)
+  rescue URI::Error, TypeError
   end
 end
diff --git a/app/models/integrations/buildkite.rb b/app/models/integrations/buildkite.rb
index 7a48e71b934..f2d2aca3ffe 100644
--- a/app/models/integrations/buildkite.rb
+++ b/app/models/integrations/buildkite.rb
@@ -50,7 +50,11 @@ module Integrations
 
     override :hook_url
     def hook_url
-      "#{buildkite_endpoint('webhook')}/deliver/#{webhook_token}"
+      "#{buildkite_endpoint('webhook')}/deliver/{webhook_token}"
+    end
+
+    def url_variables
+      { 'webhook_token' => webhook_token }
     end
 
     def execute(data)
diff --git a/app/models/integrations/datadog.rb b/app/models/integrations/datadog.rb
index 4479725a33b..c9407aa738e 100644
--- a/app/models/integrations/datadog.rb
+++ b/app/models/integrations/datadog.rb
@@ -154,13 +154,17 @@ module Integrations
       url = api_url.presence || sprintf(URL_TEMPLATE, datadog_domain: datadog_domain)
       url = URI.parse(url)
       query = {
-        "dd-api-key" => api_key,
+        "dd-api-key" => 'THIS_VALUE_WILL_BE_REPLACED',
         service: datadog_service.presence,
         env: datadog_env.presence,
         tags: datadog_tags_query_param.presence
       }.compact
       url.query = query.to_query
-      url.to_s
+      url.to_s.gsub('THIS_VALUE_WILL_BE_REPLACED', '{api_key}')
+    end
+
+    def url_variables
+      { 'api_key' => api_key }
     end
 
     def execute(data)
diff --git a/app/models/integrations/drone_ci.rb b/app/models/integrations/drone_ci.rb
index de69afeba6a..d1a64aa96d4 100644
--- a/app/models/integrations/drone_ci.rb
+++ b/app/models/integrations/drone_ci.rb
@@ -106,7 +106,11 @@ module Integrations
 
     override :hook_url
     def hook_url
-      [drone_url, "/hook", "?owner=#{project.namespace.full_path}", "&name=#{project.path}", "&access_token=#{token}"].join
+      [drone_url, "/hook", "?owner=#{project.namespace.full_path}", "&name=#{project.path}", "&access_token={token}"].join
+    end
+
+    def url_variables
+      { 'token' => token }
     end
 
     override :update_web_hook!
diff --git a/app/models/integrations/jenkins.rb b/app/models/integrations/jenkins.rb
index c68b5fd2a96..74a6449f4f9 100644
--- a/app/models/integrations/jenkins.rb
+++ b/app/models/integrations/jenkins.rb
@@ -69,6 +69,10 @@ module Integrations
       url.to_s
     end
 
+    def url_variables
+      {}
+    end
+
     def self.supported_events
       %w(push merge_request tag_push)
     end
diff --git a/app/models/integrations/packagist.rb b/app/models/integrations/packagist.rb
index f91404dab23..7177c82a167 100644
--- a/app/models/integrations/packagist.rb
+++ b/app/models/integrations/packagist.rb
@@ -66,7 +66,11 @@ module Integrations
     override :hook_url
     def hook_url
       base_url = server.presence || 'https://packagist.org'
-      "#{base_url}/api/update-package?username=#{username}&apiToken=#{token}"
+      "#{base_url}/api/update-package?username={username}&apiToken={token}"
+    end
+
+    def url_variables
+      { 'username' => username, 'token' => token }
     end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-28 22:05:40 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-28 22:05:44 +0000
commit	f5897da89ca63facbef54c23cff894f2bbe8e644 (patch)
tree	9671f60e71b3cb78705a211977870fb1c5a4b354 /app/models
parent	10d9a3bf50cca85dd857c5306a34d7a6032580e6 (diff)
download	gitlab-ce-f5897da89ca63facbef54c23cff894f2bbe8e644.tar.gz