diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-03 11:35:56 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-03 11:35:56 +0000 |
commit | 33bbb6aa7b6369fea0037f3d8a9243824e48f64f (patch) | |
tree | 18ae1428e70ddcfe1115f355ebdad6ad6f0a6e56 /app/services | |
parent | 41fd6d4d38aaef723e501ff3ab38ae63e31d4efb (diff) | |
download | gitlab-ce-33bbb6aa7b6369fea0037f3d8a9243824e48f64f.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-7-stable-ee
Diffstat (limited to 'app/services')
-rw-r--r-- | app/services/concerns/protected_ref_name_sanitizer.rb | 12 | ||||
-rw-r--r-- | app/services/packages/mark_package_files_for_destruction_service.rb | 26 | ||||
-rw-r--r-- | app/services/packages/mark_package_for_destruction_service.rb (renamed from app/services/packages/destroy_package_service.rb) | 9 | ||||
-rw-r--r-- | app/services/protected_branches/base_service.rb | 11 | ||||
-rw-r--r-- | app/services/protected_branches/create_service.rb | 2 | ||||
-rw-r--r-- | app/services/protected_branches/update_service.rb | 2 | ||||
-rw-r--r-- | app/services/protected_tags/base_service.rb | 16 | ||||
-rw-r--r-- | app/services/protected_tags/create_service.rb | 4 | ||||
-rw-r--r-- | app/services/protected_tags/update_service.rb | 4 |
9 files changed, 37 insertions, 49 deletions
diff --git a/app/services/concerns/protected_ref_name_sanitizer.rb b/app/services/concerns/protected_ref_name_sanitizer.rb deleted file mode 100644 index 3966c410fec..00000000000 --- a/app/services/concerns/protected_ref_name_sanitizer.rb +++ /dev/null @@ -1,12 +0,0 @@ -# frozen_string_literal: true - -module ProtectedRefNameSanitizer - def sanitize_name(name) - name = CGI.unescapeHTML(name) - name = Sanitize.fragment(name) - - # Sanitize.fragment escapes HTML chars, so unescape again to allow names - # like `feature->master` - CGI.unescapeHTML(name) - end -end diff --git a/app/services/packages/mark_package_files_for_destruction_service.rb b/app/services/packages/mark_package_files_for_destruction_service.rb new file mode 100644 index 00000000000..3672b44b409 --- /dev/null +++ b/app/services/packages/mark_package_files_for_destruction_service.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +module Packages + # WARNING: ensure that permissions are verified before using this service. + class MarkPackageFilesForDestructionService + BATCH_SIZE = 500 + + def initialize(package_files) + @package_files = package_files + end + + def execute + @package_files.each_batch(of: BATCH_SIZE) do |batched_package_files| + batched_package_files.update_all(status: :pending_destruction) + end + + service_response_success('Package files are now pending destruction') + end + + private + + def service_response_success(message) + ServiceResponse.success(message: message) + end + end +end diff --git a/app/services/packages/destroy_package_service.rb b/app/services/packages/mark_package_for_destruction_service.rb index 697f1fa3ac8..3417febe79a 100644 --- a/app/services/packages/destroy_package_service.rb +++ b/app/services/packages/mark_package_for_destruction_service.rb @@ -1,19 +1,20 @@ # frozen_string_literal: true module Packages - class DestroyPackageService < BaseContainerService + class MarkPackageForDestructionService < BaseContainerService alias_method :package, :container def execute return service_response_error("You don't have access to this package", 403) unless user_can_delete_package? - package.destroy! + package.pending_destruction! + package.mark_package_files_for_destruction package.sync_maven_metadata(current_user) - service_response_success('Package was successfully deleted') + service_response_success('Package was successfully marked as pending destruction') rescue StandardError - service_response_error('Failed to remove the package', 400) + service_response_error('Failed to mark the package as pending destruction', 400) end private diff --git a/app/services/protected_branches/base_service.rb b/app/services/protected_branches/base_service.rb index 1ab3ccfcaae..f48e02ab4b5 100644 --- a/app/services/protected_branches/base_service.rb +++ b/app/services/protected_branches/base_service.rb @@ -2,8 +2,6 @@ module ProtectedBranches class BaseService < ::BaseService - include ProtectedRefNameSanitizer - # current_user - The user that performs the action # params - A hash of parameters def initialize(project, current_user = nil, params = {}) @@ -15,14 +13,5 @@ module ProtectedBranches def after_execute(*) # overridden in EE::ProtectedBranches module end - - private - - def filtered_params - return unless params - - params[:name] = sanitize_name(params[:name]) if params[:name].present? - params - end end end diff --git a/app/services/protected_branches/create_service.rb b/app/services/protected_branches/create_service.rb index ea494dd4426..dada449989a 100644 --- a/app/services/protected_branches/create_service.rb +++ b/app/services/protected_branches/create_service.rb @@ -21,7 +21,7 @@ module ProtectedBranches end def protected_branch - @protected_branch ||= project.protected_branches.new(filtered_params) + @protected_branch ||= project.protected_branches.new(params) end end end diff --git a/app/services/protected_branches/update_service.rb b/app/services/protected_branches/update_service.rb index 40e9a286af9..1e70f2d9793 100644 --- a/app/services/protected_branches/update_service.rb +++ b/app/services/protected_branches/update_service.rb @@ -8,7 +8,7 @@ module ProtectedBranches old_merge_access_levels = protected_branch.merge_access_levels.map(&:clone) old_push_access_levels = protected_branch.push_access_levels.map(&:clone) - if protected_branch.update(filtered_params) + if protected_branch.update(params) after_execute(protected_branch: protected_branch, old_merge_access_levels: old_merge_access_levels, old_push_access_levels: old_push_access_levels) end diff --git a/app/services/protected_tags/base_service.rb b/app/services/protected_tags/base_service.rb deleted file mode 100644 index e0181815f0f..00000000000 --- a/app/services/protected_tags/base_service.rb +++ /dev/null @@ -1,16 +0,0 @@ -# frozen_string_literal: true - -module ProtectedTags - class BaseService < ::BaseService - include ProtectedRefNameSanitizer - - private - - def filtered_params - return unless params - - params[:name] = sanitize_name(params[:name]) if params[:name].present? - params - end - end -end diff --git a/app/services/protected_tags/create_service.rb b/app/services/protected_tags/create_service.rb index 7d2b583a295..65303f21a4a 100644 --- a/app/services/protected_tags/create_service.rb +++ b/app/services/protected_tags/create_service.rb @@ -1,13 +1,13 @@ # frozen_string_literal: true module ProtectedTags - class CreateService < ProtectedTags::BaseService + class CreateService < ::BaseService attr_reader :protected_tag def execute raise Gitlab::Access::AccessDeniedError unless can?(current_user, :admin_project, project) - project.protected_tags.create(filtered_params) + project.protected_tags.create(params) end end end diff --git a/app/services/protected_tags/update_service.rb b/app/services/protected_tags/update_service.rb index e337ec39898..283aa8882c5 100644 --- a/app/services/protected_tags/update_service.rb +++ b/app/services/protected_tags/update_service.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true module ProtectedTags - class UpdateService < ProtectedTags::BaseService + class UpdateService < ::BaseService def execute(protected_tag) raise Gitlab::Access::AccessDeniedError unless can?(current_user, :admin_project, project) - protected_tag.update(filtered_params) + protected_tag.update(params) protected_tag end end |