diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-09 10:41:08 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-09 10:41:08 +0000 |
commit | 66f47187da83f122b48b21ff1a8096e0d9f9e7fd (patch) | |
tree | a966c43b1a973a61d362dc7077e24ed12cb52ce3 /app | |
parent | 877eefdb6d765fd9fd437b8328ecbe00cb07438a (diff) | |
download | gitlab-ce-66f47187da83f122b48b21ff1a8096e0d9f9e7fd.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-7-stable-ee
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/concerns/page_limiter.rb | 2 | ||||
-rw-r--r-- | app/helpers/submodule_helper.rb | 78 | ||||
-rw-r--r-- | app/models/active_session.rb | 2 | ||||
-rw-r--r-- | app/models/hooks/web_hook.rb | 5 | ||||
-rw-r--r-- | app/services/error_tracking/list_projects_service.rb | 16 |
5 files changed, 64 insertions, 39 deletions
diff --git a/app/controllers/concerns/page_limiter.rb b/app/controllers/concerns/page_limiter.rb index 1d044a41899..97df540d31b 100644 --- a/app/controllers/concerns/page_limiter.rb +++ b/app/controllers/concerns/page_limiter.rb @@ -58,7 +58,7 @@ module PageLimiter # Record the page limit being hit in Prometheus def record_page_limit_interception - dd = DeviceDetector.new(request.user_agent) + dd = Gitlab::SafeDeviceDetector.new(request.user_agent) Gitlab::Metrics.counter(:gitlab_page_out_of_bounds, controller: params[:controller], diff --git a/app/helpers/submodule_helper.rb b/app/helpers/submodule_helper.rb index e3e2f423da3..c38d69df8e4 100644 --- a/app/helpers/submodule_helper.rb +++ b/app/helpers/submodule_helper.rb @@ -17,40 +17,26 @@ module SubmoduleHelper url = File.join(Gitlab.config.gitlab.url, repository.project.full_path) end - if url =~ %r{([^/:]+)/([^/]+(?:\.git)?)\Z} - namespace = Regexp.last_match(1) - project = Regexp.last_match(2) - gitlab_hosts = [Gitlab.config.gitlab.url, - Gitlab.config.gitlab_shell.ssh_path_prefix] - - gitlab_hosts.each do |host| - if url.start_with?(host) - namespace, _, project = url.sub(host, '').rpartition('/') - break - end - end - - namespace.delete_prefix!('/') - project.rstrip! - project.delete_suffix!('.git') - - if self_url?(url, namespace, project) - [ - url_helpers.namespace_project_path(namespace, project), - url_helpers.namespace_project_tree_path(namespace, project, submodule_item_id), - (url_helpers.namespace_project_compare_path(namespace, project, to: submodule_item_id, from: old_submodule_item_id) if old_submodule_item_id) - ] - elsif relative_self_url?(url) - relative_self_links(url, submodule_item_id, old_submodule_item_id, repository.project) - elsif gist_github_dot_com_url?(url) - gist_github_com_tree_links(namespace, project, submodule_item_id) - elsif github_dot_com_url?(url) - github_com_tree_links(namespace, project, submodule_item_id, old_submodule_item_id) - elsif gitlab_dot_com_url?(url) - gitlab_com_tree_links(namespace, project, submodule_item_id, old_submodule_item_id) - else - [sanitize_submodule_url(url), nil, nil] - end + namespace, project = extract_namespace_project(url) + + if namespace.blank? || project.blank? + return [sanitize_submodule_url(url), nil, nil] + end + + if self_url?(url, namespace, project) + [ + url_helpers.namespace_project_path(namespace, project), + url_helpers.namespace_project_tree_path(namespace, project, submodule_item_id), + (url_helpers.namespace_project_compare_path(namespace, project, to: submodule_item_id, from: old_submodule_item_id) if old_submodule_item_id) + ] + elsif relative_self_url?(url) + relative_self_links(url, submodule_item_id, old_submodule_item_id, repository.project) + elsif gist_github_dot_com_url?(url) + gist_github_com_tree_links(namespace, project, submodule_item_id) + elsif github_dot_com_url?(url) + github_com_tree_links(namespace, project, submodule_item_id, old_submodule_item_id) + elsif gitlab_dot_com_url?(url) + gitlab_com_tree_links(namespace, project, submodule_item_id, old_submodule_item_id) else [sanitize_submodule_url(url), nil, nil] end @@ -58,6 +44,30 @@ module SubmoduleHelper protected + def extract_namespace_project(url) + namespace_fragment, _, project = url.rpartition('/') + namespace = namespace_fragment.rpartition(%r{[:/]}).last + + return [nil, nil] unless project.present? && namespace.present? + + gitlab_hosts = [Gitlab.config.gitlab.url, + Gitlab.config.gitlab_shell.ssh_path_prefix] + + matching_host = gitlab_hosts.find do |host| + url.start_with?(host) + end + + if matching_host + namespace, _, project = url.delete_prefix(matching_host).rpartition('/') + end + + namespace.delete_prefix!('/') + project.rstrip! + project.delete_suffix!('.git') + + [namespace, project] + end + def gist_github_dot_com_url?(url) url =~ %r{gist\.github\.com[/:][^/]+/[^/]+\Z} end diff --git a/app/models/active_session.rb b/app/models/active_session.rb index b16c4a2b353..2d1dec1977d 100644 --- a/app/models/active_session.rb +++ b/app/models/active_session.rb @@ -67,7 +67,7 @@ class ActiveSession def self.set(user, request) Gitlab::Redis::Sessions.with do |redis| session_private_id = request.session.id.private_id - client = DeviceDetector.new(request.user_agent) + client = Gitlab::SafeDeviceDetector.new(request.user_agent) timestamp = Time.current expiry = Settings.gitlab['session_expire_delay'] * 60 diff --git a/app/models/hooks/web_hook.rb b/app/models/hooks/web_hook.rb index 189291a38ec..49418cda3ac 100644 --- a/app/models/hooks/web_hook.rb +++ b/app/models/hooks/web_hook.rb @@ -41,6 +41,7 @@ class WebHook < ApplicationRecord after_initialize :initialize_url_variables before_validation :reset_token + before_validation :reset_url_variables, unless: ->(hook) { hook.is_a?(ServiceHook) } before_validation :set_branch_filter_nil, if: :branch_filter_strategy_all_branches? validates :push_events_branch_filter, untrusted_regexp: true, if: :branch_filter_strategy_regex? validates :push_events_branch_filter, "web_hooks/wildcard_branch_filter": true, if: :branch_filter_strategy_wildcard? @@ -213,6 +214,10 @@ class WebHook < ApplicationRecord self.token = nil if url_changed? && !encrypted_token_changed? end + def reset_url_variables + self.url_variables = {} if url_changed? && !encrypted_url_variables_changed? + end + def next_failure_count recent_failures.succ.clamp(1, MAX_FAILURES) end diff --git a/app/services/error_tracking/list_projects_service.rb b/app/services/error_tracking/list_projects_service.rb index 2f23d47029c..d52306ef805 100644 --- a/app/services/error_tracking/list_projects_service.rb +++ b/app/services/error_tracking/list_projects_service.rb @@ -2,6 +2,8 @@ module ErrorTracking class ListProjectsService < ErrorTracking::BaseService + MASKED_TOKEN_REGEX = /\A\*+\z/.freeze + private def perform @@ -20,23 +22,31 @@ module ErrorTracking def project_error_tracking_setting (super || project.build_error_tracking_setting).tap do |setting| + url_changed = !setting.api_url&.start_with?(params[:api_host]) + setting.api_url = ErrorTracking::ProjectErrorTrackingSetting.build_api_url_from( api_host: params[:api_host], organization_slug: 'org', project_slug: 'proj' ) - setting.token = token(setting) + setting.token = token(setting, url_changed) setting.enabled = true end end strong_memoize_attr :project_error_tracking_setting - def token(setting) + def token(setting, url_changed) + return if url_changed && masked_token? + # Use param token if not masked, otherwise use database token - return params[:token] unless /\A\*+\z/.match?(params[:token]) + return params[:token] unless masked_token? setting.token end + + def masked_token? + MASKED_TOKEN_REGEX.match?(params[:token]) + end end end |