Add latest changes from gitlab-org/security/gitlab@14-0-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-06-30 11:42:13 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-06-30 11:42:37 +0000
commit: 33e4d44c11427a31ada41e7a0757d35f03d62ce7 (patch)
tree: e098358958160304d5896eb4e145fe8728d1866f /app
parent: 814aa80c3a0af2b1eaa402116cff49dd14fda2dd (diff)
download: gitlab-ce-33e4d44c11427a31ada41e7a0757d35f03d62ce7.tar.gz
7 files changed, 54 insertions, 13 deletions
diff --git a/app/assets/javascripts/lib/utils/url_utility.js b/app/assets/javascripts/lib/utils/url_utility.js
index 48abc072675..d68b41b7f7a 100644
--- a/app/assets/javascripts/lib/utils/url_utility.js
+++ b/app/assets/javascripts/lib/utils/url_utility.js
@@ -545,3 +545,27 @@ export function getURLOrigin(url) {
     return null;
   }
 }
+
+/**
+ * Returns `true` if the given `url` resolves to the same origin the page is served
+ * from; otherwise, returns `false`.
+ *
+ * The `url` may be absolute or relative.
+ *
+ * @param {string} url The URL to check.
+ * @returns {boolean}
+ */
+export function isSameOriginUrl(url) {
+  if (typeof url !== 'string') {
+    return false;
+  }
+
+  const { origin } = window.location;
+
+  try {
+    return new URL(url, origin).origin === origin;
+  } catch {
+    // Invalid URLs cannot have the same origin
+    return false;
+  }
+}
diff --git a/app/assets/javascripts/releases/components/app_edit_new.vue b/app/assets/javascripts/releases/components/app_edit_new.vue
index aecd0d6371e..3774f97a060 100644
--- a/app/assets/javascripts/releases/components/app_edit_new.vue
+++ b/app/assets/javascripts/releases/components/app_edit_new.vue
@@ -2,6 +2,7 @@
 import { GlButton, GlFormInput, GlFormGroup, GlSprintf } from '@gitlab/ui';
 import { mapState, mapActions, mapGetters } from 'vuex';
 import { getParameterByName } from '~/lib/utils/common_utils';
+import { isSameOriginUrl } from '~/lib/utils/url_utility';
 import { __ } from '~/locale';
 import MilestoneCombobox from '~/milestones/components/milestone_combobox.vue';
 import { BACK_URL_PARAM } from '~/releases/constants';
@@ -65,7 +66,13 @@ export default {
       },
     },
     cancelPath() {
-      return getParameterByName(BACK_URL_PARAM) || this.releasesPagePath;
+      const backUrl = getParameterByName(BACK_URL_PARAM);
+
+      if (isSameOriginUrl(backUrl)) {
+        return backUrl;
+      }
+
+      return this.releasesPagePath;
     },
     saveButtonLabel() {
       return this.isExistingRelease ? __('Save changes') : __('Create release');
diff --git a/app/models/audit_event.rb b/app/models/audit_event.rb
index aff7eef4622..11036b76fc1 100644
--- a/app/models/audit_event.rb
+++ b/app/models/audit_event.rb
@@ -32,6 +32,9 @@ class AuditEvent < ApplicationRecord
   scope :by_author_id, -> (author_id) { where(author_id: author_id) }
 
   after_initialize :initialize_details
+
+  before_validation :sanitize_message
+
   # Note: The intention is to remove this once refactoring of AuditEvent
   # has proceeded further.
   #
@@ -83,6 +86,14 @@ class AuditEvent < ApplicationRecord
 
   private
 
+  def sanitize_message
+    message = details[:custom_message]
+
+    return unless message
+
+    self.details = details.merge(custom_message: Sanitize.clean(message))
+  end
+
   def default_author_value
     ::Gitlab::Audit::NullAuthor.for(author_id, (self[:author_name] || details[:author_name]))
   end
diff --git a/app/services/feature_flags/base_service.rb b/app/services/feature_flags/base_service.rb
index f48f95e2550..d041703803b 100644
--- a/app/services/feature_flags/base_service.rb
+++ b/app/services/feature_flags/base_service.rb
@@ -49,9 +49,9 @@ module FeatureFlags
     end
 
     def created_scope_message(scope)
-      "Created rule <strong>#{scope.environment_scope}</strong> "\
-      "and set it as <strong>#{scope.active ? "active" : "inactive"}</strong> "\
-      "with strategies <strong>#{scope.strategies}</strong>."
+      "Created rule #{scope.environment_scope} "\
+      "and set it as #{scope.active ? "active" : "inactive"} "\
+      "with strategies #{scope.strategies}."
     end
 
     def feature_flag_by_name
diff --git a/app/services/feature_flags/create_service.rb b/app/services/feature_flags/create_service.rb
index de3a55d10fc..5c87af561d5 100644
--- a/app/services/feature_flags/create_service.rb
+++ b/app/services/feature_flags/create_service.rb
@@ -22,8 +22,7 @@ module FeatureFlags
     private
 
     def audit_message(feature_flag)
-      message_parts = ["Created feature flag <strong>#{feature_flag.name}</strong>",
-                       "with description <strong>\"#{feature_flag.description}\"</strong>."]
+      message_parts = ["Created feature flag #{feature_flag.name} with description \"#{feature_flag.description}\"."]
 
       message_parts += feature_flag.scopes.map do |scope|
         created_scope_message(scope)
diff --git a/app/services/feature_flags/destroy_service.rb b/app/services/feature_flags/destroy_service.rb
index c77e3e03ec3..b131a349fc7 100644
--- a/app/services/feature_flags/destroy_service.rb
+++ b/app/services/feature_flags/destroy_service.rb
@@ -23,7 +23,7 @@ module FeatureFlags
     end
 
     def audit_message(feature_flag)
-      "Deleted feature flag <strong>#{feature_flag.name}</strong>."
+      "Deleted feature flag #{feature_flag.name}."
     end
 
     def can_destroy?(feature_flag)
diff --git a/app/services/feature_flags/update_service.rb b/app/services/feature_flags/update_service.rb
index d956d4b3357..f5ab6f4005b 100644
--- a/app/services/feature_flags/update_service.rb
+++ b/app/services/feature_flags/update_service.rb
@@ -45,14 +45,14 @@ module FeatureFlags
 
       return if changes.empty?
 
-      "Updated feature flag <strong>#{feature_flag.name}</strong>. " + changes.join(" ")
+      "Updated feature flag #{feature_flag.name}. " + changes.join(" ")
     end
 
     def changed_attributes_messages(feature_flag)
       feature_flag.changes.slice(*AUDITABLE_ATTRIBUTES).map do |attribute_name, changes|
         "Updated #{attribute_name} "\
-        "from <strong>\"#{changes.first}\"</strong> to "\
-        "<strong>\"#{changes.second}\"</strong>."
+        "from \"#{changes.first}\" to "\
+        "\"#{changes.second}\"."
       end
     end
 
@@ -69,17 +69,17 @@ module FeatureFlags
     end
 
     def deleted_scope_message(scope)
-      "Deleted rule <strong>#{scope.environment_scope}</strong>."
+      "Deleted rule #{scope.environment_scope}."
     end
 
     def updated_scope_message(scope)
       changes = scope.changes.slice(*AUDITABLE_SCOPE_ATTRIBUTES_HUMAN_NAMES.keys)
       return if changes.empty?
 
-      message = "Updated rule <strong>#{scope.environment_scope}</strong> "
+      message = "Updated rule #{scope.environment_scope} "
       message += changes.map do |attribute_name, change|
         name = AUDITABLE_SCOPE_ATTRIBUTES_HUMAN_NAMES[attribute_name]
-        "#{name} from <strong>#{change.first}</strong> to <strong>#{change.second}</strong>"
+        "#{name} from #{change.first} to #{change.second}"
       end.join(' ')
 
       message + '.'
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-06-30 11:42:13 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-06-30 11:42:37 +0000
commit	33e4d44c11427a31ada41e7a0757d35f03d62ce7 (patch)
tree	e098358958160304d5896eb4e145fe8728d1866f /app
parent	814aa80c3a0af2b1eaa402116cff49dd14fda2dd (diff)
download	gitlab-ce-33e4d44c11427a31ada41e7a0757d35f03d62ce7.tar.gz