diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-28 21:59:41 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-28 21:59:41 +0000 |
commit | cc201d1e1be2c8f4de2e2265c2b83bd925f8a260 (patch) | |
tree | 7347a079cde32c08900547d96a7c5ddbc2a50259 /app | |
parent | 70d9f335be46efecb1328cd2b7da3f3e17516d7d (diff) | |
download | gitlab-ce-cc201d1e1be2c8f4de2e2265c2b83bd925f8a260.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee
Diffstat (limited to 'app')
8 files changed, 63 insertions, 30 deletions
diff --git a/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue b/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue index 52c9f047b76..a10e5efa0e7 100644 --- a/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue +++ b/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue @@ -1,5 +1,6 @@ <script> import { GlBadge, GlLink, GlSafeHtmlDirective, GlModalDirective } from '@gitlab/ui'; +import { isArray } from 'lodash'; import Actions from '../action_buttons.vue'; import StatusIcon from './status_icon.vue'; import { generateText } from './utils'; @@ -35,6 +36,20 @@ export default { required: true, }, }, + computed: { + subtext() { + const { subtext } = this.data; + if (subtext) { + if (isArray(subtext)) { + return subtext.map((t) => generateText(t)).join('<br />'); + } + + return generateText(subtext); + } + + return null; + }, + }, methods: { isArray(arr) { return Array.isArray(arr); @@ -93,11 +108,7 @@ export default { @clickedAction="onClickedAction" /> </div> - <p - v-if="data.subtext" - v-safe-html="generateText(data.subtext)" - class="gl-m-0 gl-font-sm" - ></p> + <p v-if="subtext" v-safe-html="subtext" class="gl-m-0 gl-font-sm"></p> </div> </div> <template v-if="data.children && level === 2"> diff --git a/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js b/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js index cba12507eba..757178ee336 100644 --- a/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js +++ b/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js @@ -35,6 +35,9 @@ const textStyleTags = { [getStartTag('small')]: '<span class="gl-font-sm gl-text-gray-700">', }; +const escapeText = (text) => + document.createElement('div').appendChild(document.createTextNode(text)).parentNode.innerHTML; + const createText = (text) => { return text .replace( @@ -61,7 +64,7 @@ const createText = (text) => { export const generateText = (text) => { if (typeof text === 'string') { - return createText(text); + return createText(escapeText(text)); } else if ( typeof text === 'object' && typeof text.text === 'string' && @@ -69,8 +72,8 @@ export const generateText = (text) => { ) { return createText( `${ - text.prependText ? `${text.prependText} ` : '' - }<a class="gl-text-decoration-underline" href="${text.href}">${text.text}</a>`, + text.prependText ? `${escapeText(text.prependText)} ` : '' + }<a class="gl-text-decoration-underline" href="${text.href}">${escapeText(text.text)}</a>`, ); } diff --git a/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js b/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js index 2477429af5b..68347ac269e 100644 --- a/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js +++ b/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js @@ -19,25 +19,23 @@ export default { if (errorSummary.errored >= 1 && errorSummary.resolved >= 1) { const improvements = sprintf( n__( - '%{strongOpen}%{errors}%{strongClose} point', - '%{strongOpen}%{errors}%{strongClose} points', + '%{strong_start}%{errors}%{strong_end} point', + '%{strong_start}%{errors}%{strong_end} points', resolvedErrors.length, ), { errors: resolvedErrors.length, - strongOpen: '<strong>', - strongClose: '</strong>', }, false, ); const degradations = sprintf( n__( - '%{strongOpen}%{errors}%{strongClose} point', - '%{strongOpen}%{errors}%{strongClose} points', + '%{strong_start}%{errors}%{strong_end} point', + '%{strong_start}%{errors}%{strong_end} points', newErrors.length, ), - { errors: newErrors.length, strongOpen: '<strong>', strongClose: '</strong>' }, + { errors: newErrors.length }, false, ); return sprintf( @@ -96,14 +94,11 @@ export default { this.collapsedData.resolvedErrors.map((e) => { return fullData.push({ text: `${capitalizeFirstCharacter(e.severity)} - ${e.description}`, - subtext: sprintf( - s__(`ciReport|in %{open_link}${e.file_path}:${e.line}%{close_link}`), - { - open_link: `<a class="gl-text-decoration-underline" href="${e.urlPath}">`, - close_link: '</a>', - }, - false, - ), + subtext: { + prependText: s__(`ciReport|in`), + text: `${e.file_path}:${e.line}`, + href: e.urlPath, + }, icon: { name: SEVERITY_ICONS_EXTENSION[e.severity], }, diff --git a/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js b/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js index 6611aedcb07..626a99f7d64 100644 --- a/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js +++ b/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js @@ -63,13 +63,16 @@ export default { if (valid.length) { title = validText; if (invalid.length) { - subtitle = sprintf(`<br>%{small_start}${invalidText}%{small_end}`); + subtitle = invalidText; } } else { title = invalidText; } - return `${title}${subtitle}`; + return { + subject: title, + meta: subtitle, + }; }, fetchCollapsedData() { return axios @@ -152,9 +155,8 @@ export default { } return { - text: `${title} - <br> - ${subtitle}`, + text: title, + supportingText: subtitle, icon: { name: iconName }, actions, }; diff --git a/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js b/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js index 6896f8831e8..37f9964d23a 100644 --- a/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js +++ b/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js @@ -60,7 +60,7 @@ export const reportSubTextBuilder = ({ suite_errors: suiteErrors, summary }) => if (suiteErrors?.base) { errors.push(`${i18n.baseReportParsingError} ${suiteErrors.base}`); } - return errors.join('<br />'); + return errors; } return recentFailuresTextBuilder(summary); }; diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index e5913bab726..e864ce8752a 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -22,6 +22,12 @@ class IssuablePolicy < BasePolicy enable :reopen_issue end + # This rule replicates permissions in NotePolicy#can_read_confidential and it's used in + # TodoPolicy for performance reasons + rule { can?(:reporter_access) | assignee_or_author | admin }.policy do + enable :read_confidential_notes + end + rule { can?(:read_merge_request) & assignee_or_author }.policy do enable :update_merge_request enable :reopen_merge_request diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index e85f18f2d37..1bffcc5aea2 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -20,6 +20,7 @@ class NotePolicy < BasePolicy condition(:confidential, scope: :subject) { @subject.confidential? } + # If this condition changes IssuablePolicy#read_confidential_notes should be updated too condition(:can_read_confidential) do access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin? end diff --git a/app/policies/todo_policy.rb b/app/policies/todo_policy.rb index 6237fbc50fa..5c24964f24a 100644 --- a/app/policies/todo_policy.rb +++ b/app/policies/todo_policy.rb @@ -5,10 +5,25 @@ class TodoPolicy < BasePolicy condition(:own_todo) do @user && @subject.user_id == @user.id end + + desc "User can read the todo's target" condition(:can_read_target) do @user && @subject.target&.readable_by?(@user) end + desc "Todo has confidential note" + condition(:has_confidential_note, scope: :subject) { @subject&.note&.confidential? } + + desc "User can read the todo's confidential note" + condition(:can_read_todo_confidential_note) do + @user && @user.can?(:read_confidential_notes, @subject.target) + end + rule { own_todo & can_read_target }.enable :read_todo - rule { own_todo & can_read_target }.enable :update_todo + rule { can?(:read_todo) }.enable :update_todo + + rule { has_confidential_note & ~can_read_todo_confidential_note }.policy do + prevent :read_todo + prevent :update_todo + end end |