diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:31:31 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:31:31 +0000 |
| commit | e810b8327513c3b07cb779dbce6c75dbcb49ca84 (patch) | |
| tree | 65b220240faa9e191388c6ab233fed03da2b8713 /app | |
| parent | 11e9b7b58837da351f08c18e6f0f4faba4d7d301 (diff) | |
| download | gitlab-ce-e810b8327513c3b07cb779dbce6c75dbcb49ca84.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-1-stable-ee
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/concerns/wiki_actions.rb | 2 | ||||
| -rw-r--r-- | app/finders/events_finder.rb | 6 | ||||
| -rw-r--r-- | app/models/merge_request.rb | 2 | ||||
| -rw-r--r-- | app/services/snippets/repository_validation_service.rb | 72 |
4 files changed, 80 insertions, 2 deletions
diff --git a/app/controllers/concerns/wiki_actions.rb b/app/controllers/concerns/wiki_actions.rb index b4b4fd84c37..7eef12fadfe 100644 --- a/app/controllers/concerns/wiki_actions.rb +++ b/app/controllers/concerns/wiki_actions.rb @@ -58,7 +58,7 @@ module WikiActions render 'shared/wikis/show' elsif file_blob - send_blob(wiki.repository, file_blob, allow_caching: container.public?) + send_blob(wiki.repository, file_blob) elsif show_create_form? # Assign a title to the WikiPage unless `id` is a randomly generated slug from #new title = params[:id] unless params[:random_title].present? diff --git a/app/finders/events_finder.rb b/app/finders/events_finder.rb index 52612f1f8aa..004fbc4cd22 100644 --- a/app/finders/events_finder.rb +++ b/app/finders/events_finder.rb @@ -33,6 +33,8 @@ class EventsFinder end def execute + return Event.none if cannot_access_private_profile? + events = get_events events = by_current_user_access(events) @@ -103,6 +105,10 @@ class EventsFinder end # rubocop: enable CodeReuse/ActiveRecord + def cannot_access_private_profile? + source.is_a?(User) && !Ability.allowed?(current_user, :read_user_profile, source) + end + def sort(events) return events unless params[:sort] diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb index caf7b554427..a7e0907eb5f 100644 --- a/app/models/merge_request.rb +++ b/app/models/merge_request.rb @@ -518,7 +518,7 @@ class MergeRequest < ApplicationRecord participants << merge_user end - participants + participants.select { |participant| Ability.allowed?(participant, :read_merge_request, self) } end def first_commit diff --git a/app/services/snippets/repository_validation_service.rb b/app/services/snippets/repository_validation_service.rb new file mode 100644 index 00000000000..c8197795383 --- /dev/null +++ b/app/services/snippets/repository_validation_service.rb @@ -0,0 +1,72 @@ +# frozen_string_literal: true + +module Snippets + class RepositoryValidationService + attr_reader :current_user, :snippet, :repository + + RepositoryValidationError = Class.new(StandardError) + + def initialize(user, snippet) + @current_user = user + @snippet = snippet + @repository = snippet.repository + end + + def execute + if snippet.nil? + return service_response_error('No snippet found.', 404) + end + + check_branch_count! + check_branch_name_default! + check_tag_count! + check_file_count! + check_size! + + ServiceResponse.success(message: 'Valid snippet repository.') + rescue RepositoryValidationError => e + ServiceResponse.error(message: "Error: #{e.message}", http_status: 400) + end + + private + + def check_branch_count! + return if repository.branch_count == 1 + + raise RepositoryValidationError, _('Repository has more than one branch.') + end + + def check_branch_name_default! + branches = repository.branch_names + + return if branches.first == Gitlab::Checks::SnippetCheck::DEFAULT_BRANCH + + raise RepositoryValidationError, _('Repository has an invalid default branch name.') + end + + def check_tag_count! + return if repository.tag_count == 0 + + raise RepositoryValidationError, _('Repository has tags.') + end + + def check_file_count! + file_count = repository.ls_files(nil).size + limit = Snippet.max_file_limit(current_user) + + if file_count > limit + raise RepositoryValidationError, _('Repository files count over the limit') + end + + if file_count == 0 + raise RepositoryValidationError, _('Repository must contain at least 1 file.') + end + end + + def check_size! + return unless snippet.repository_size_checker.above_size_limit? + + raise RepositoryValidationError, _('Repository size is above the limit.') + end + end +end |