diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-01 12:09:17 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-01 12:09:17 +0000 |
commit | 7b2635a55d4e87431bae752bd44c6fd2d2657b03 (patch) | |
tree | 88182aabb51a167e10f6c3a6d404b2247613047f /lib | |
parent | a7704bf16a51a8c993215a69db17232e3f246b8e (diff) | |
download | gitlab-ce-7b2635a55d4e87431bae752bd44c6fd2d2657b03.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/helpers/internal_helpers.rb | 34 | ||||
-rw-r--r-- | lib/constraints/project_url_constrainer.rb | 2 | ||||
-rw-r--r-- | lib/constraints/repository_redirect_url_constrainer.rb | 28 | ||||
-rw-r--r-- | lib/gitlab/application_context.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml | 24 | ||||
-rw-r--r-- | lib/gitlab/git_access.rb | 9 | ||||
-rw-r--r-- | lib/gitlab/git_access_project.rb | 16 | ||||
-rw-r--r-- | lib/gitlab/graphql/expose_permissions.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/legacy_github_import/project_creator.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/path_regex.rb | 16 | ||||
-rw-r--r-- | lib/gitlab/repo_path.rb | 2 | ||||
-rw-r--r-- | lib/tasks/gitlab/assets.rake | 5 |
12 files changed, 104 insertions, 38 deletions
diff --git a/lib/api/helpers/internal_helpers.rb b/lib/api/helpers/internal_helpers.rb index 69b53ea6c2f..12b0a053e79 100644 --- a/lib/api/helpers/internal_helpers.rb +++ b/lib/api/helpers/internal_helpers.rb @@ -31,8 +31,7 @@ module API def access_checker_for(actor, protocol) access_checker_klass.new(actor.key_or_user, container, protocol, authentication_abilities: ssh_authentication_abilities, - namespace_path: namespace_path, - repository_path: project_path, + repository_path: repository_path, redirected_path: redirected_path) end @@ -71,18 +70,22 @@ module API false end - def project_path - project&.path || project_path_match[:project_path] - end - - def namespace_path - project&.namespace&.full_path || project_path_match[:namespace_path] - end - private - def project_path_match - @project_path_match ||= params[:project].match(Gitlab::PathRegex.full_project_git_path_regex) || {} + def repository_path + if container + "#{container.full_path}.git" + elsif params[:project] + # When the project doesn't exist, we still need to pass on the path + # to support auto-creation in `GitAccessProject`. + # + # For consistency with the Git HTTP controllers, we normalize the path + # to remove a leading slash and ensure a trailing `.git`. + # + # NOTE: For GitLab Shell, `params[:project]` is the full repository path + # from the SSH command, with an optional trailing `.git`. + "#{params[:project].delete_prefix('/').delete_suffix('.git')}.git" + end end # rubocop:disable Gitlab/ModuleWithInstanceVariables @@ -96,7 +99,7 @@ module API end # rubocop:enable Gitlab/ModuleWithInstanceVariables - # Project id to pass between components that don't share/don't have + # Repository id to pass between components that don't share/don't have # access to the same filesystem mounts def gl_repository repo_type.identifier_for_container(container) @@ -106,8 +109,9 @@ module API repository.full_path end - # Return the repository depending on whether we want the wiki or the - # regular repository + # Return the repository for the detected type and container + # + # @returns [Repository] def repository @repository ||= repo_type.repository_for(container) end diff --git a/lib/constraints/project_url_constrainer.rb b/lib/constraints/project_url_constrainer.rb index 3e9cf2ab320..d41490d2ebd 100644 --- a/lib/constraints/project_url_constrainer.rb +++ b/lib/constraints/project_url_constrainer.rb @@ -4,7 +4,7 @@ module Constraints class ProjectUrlConstrainer def matches?(request, existence_check: true) namespace_path = request.params[:namespace_id] - project_path = request.params[:project_id] || request.params[:id] || request.params[:repository_id] + project_path = request.params[:project_id] || request.params[:id] full_path = [namespace_path, project_path].join('/') return false unless ProjectPathValidator.valid_path?(full_path) diff --git a/lib/constraints/repository_redirect_url_constrainer.rb b/lib/constraints/repository_redirect_url_constrainer.rb new file mode 100644 index 00000000000..44df670d8d3 --- /dev/null +++ b/lib/constraints/repository_redirect_url_constrainer.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +module Constraints + class RepositoryRedirectUrlConstrainer + def matches?(request) + path = request.params[:repository_path].delete_suffix('.git') + query = request.query_string + + git_request?(query) && container_path?(path) + end + + # Allow /info/refs, /info/refs?service=git-upload-pack, and + # /info/refs?service=git-receive-pack, but nothing else. + def git_request?(query) + query.blank? || + query == 'service=git-upload-pack' || + query == 'service=git-receive-pack' + end + + # Check if the path matches any known repository containers. + # These also cover wikis, since a `.wiki` suffix is valid in project/group paths too. + def container_path?(path) + NamespacePathValidator.valid_path?(path) || + ProjectPathValidator.valid_path?(path) || + path =~ Gitlab::PathRegex.full_snippets_repository_path_regex + end + end +end diff --git a/lib/gitlab/application_context.rb b/lib/gitlab/application_context.rb index b4bbb309c36..84fe3d1c959 100644 --- a/lib/gitlab/application_context.rb +++ b/lib/gitlab/application_context.rb @@ -30,7 +30,7 @@ module Gitlab Labkit::Context.current.to_h.include?(Labkit::Context.log_key(attribute_name)) end - def initialize(args) + def initialize(**args) unknown_attributes = args.keys - APPLICATION_ATTRIBUTES.map(&:name) raise ArgumentError, "#{unknown_attributes} are not known keys" if unknown_attributes.any? diff --git a/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml new file mode 100644 index 00000000000..a0564a16c07 --- /dev/null +++ b/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml @@ -0,0 +1,24 @@ +stages: + - build + - test + - deploy + - dast + +variables: + DAST_VERSION: 1 + # Setting this variable will affect all Security templates + # (SAST, Dependency Scanning, ...) + SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" + +dast: + stage: dast + image: + name: "$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION" + variables: + GIT_STRATEGY: none + allow_failure: true + script: + - /analyze + artifacts: + reports: + dast: gl-dast-report.json diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 0576d1dd9db..5ed4322341e 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -43,7 +43,7 @@ module Gitlab ALL_COMMANDS = DOWNLOAD_COMMANDS + PUSH_COMMANDS attr_reader :actor, :protocol, :authentication_abilities, - :namespace_path, :redirected_path, :auth_result_type, + :repository_path, :redirected_path, :auth_result_type, :cmd, :changes attr_accessor :container @@ -57,21 +57,16 @@ module Gitlab raise ArgumentError, "No error message defined for #{key}" end - def initialize(actor, container, protocol, authentication_abilities:, namespace_path: nil, repository_path: nil, redirected_path: nil, auth_result_type: nil) + def initialize(actor, container, protocol, authentication_abilities:, repository_path: nil, redirected_path: nil, auth_result_type: nil) @actor = actor @container = container @protocol = protocol @authentication_abilities = Array(authentication_abilities) - @namespace_path = namespace_path @repository_path = repository_path @redirected_path = redirected_path @auth_result_type = auth_result_type end - def repository_path - @repository_path ||= project&.path - end - def check(cmd, changes) @changes = changes @cmd = cmd diff --git a/lib/gitlab/git_access_project.rb b/lib/gitlab/git_access_project.rb index cdefcc84f7d..7e9bab4a8e6 100644 --- a/lib/gitlab/git_access_project.rb +++ b/lib/gitlab/git_access_project.rb @@ -35,7 +35,19 @@ module Gitlab end def namespace - @namespace ||= Namespace.find_by_full_path(namespace_path) + strong_memoize(:namespace) { Namespace.find_by_full_path(namespace_path) } + end + + def namespace_path + strong_memoize(:namespace_path) { repository_path_match[:namespace_path] } + end + + def project_path + strong_memoize(:project_path) { repository_path_match[:project_path] } + end + + def repository_path_match + strong_memoize(:repository_path_match) { repository_path.match(Gitlab::PathRegex.full_project_git_path_regex) || {} } end def ensure_project_on_push! @@ -44,7 +56,7 @@ module Gitlab return unless user&.can?(:create_projects, namespace) project_params = { - path: repository_path, + path: project_path, namespace_id: namespace.id, visibility_level: Gitlab::VisibilityLevel::PRIVATE } diff --git a/lib/gitlab/graphql/expose_permissions.rb b/lib/gitlab/graphql/expose_permissions.rb index 365b7cca24f..ab9ed354673 100644 --- a/lib/gitlab/graphql/expose_permissions.rb +++ b/lib/gitlab/graphql/expose_permissions.rb @@ -9,7 +9,7 @@ module Gitlab field :user_permissions, permission_type, description: description, null: false, - resolve: -> (obj, _, _) { obj } + method: :itself end end end diff --git a/lib/gitlab/legacy_github_import/project_creator.rb b/lib/gitlab/legacy_github_import/project_creator.rb index b484b69c932..c54325bcdf5 100644 --- a/lib/gitlab/legacy_github_import/project_creator.rb +++ b/lib/gitlab/legacy_github_import/project_creator.rb @@ -5,7 +5,7 @@ module Gitlab class ProjectCreator attr_reader :repo, :name, :namespace, :current_user, :session_data, :type - def initialize(repo, name, namespace, current_user, session_data, type: 'github') + def initialize(repo, name, namespace, current_user, type: 'github', **session_data) @repo = repo @name = name @namespace = namespace diff --git a/lib/gitlab/path_regex.rb b/lib/gitlab/path_regex.rb index ad0a5c80604..2ff23980ebd 100644 --- a/lib/gitlab/path_regex.rb +++ b/lib/gitlab/path_regex.rb @@ -180,12 +180,16 @@ module Gitlab end end - def project_git_route_regex - @project_git_route_regex ||= /#{project_route_regex}\.git/.freeze + def repository_route_regex + @repository_route_regex ||= /#{full_namespace_route_regex}|#{personal_snippet_repository_path_regex}/.freeze end - def project_wiki_git_route_regex - @project_wiki_git_route_regex ||= /#{PATH_REGEX_STR}\.wiki/.freeze + def repository_git_route_regex + @repository_git_route_regex ||= /#{repository_route_regex}\.git/.freeze + end + + def repository_wiki_git_route_regex + @repository_wiki_git_route_regex ||= /#{full_namespace_route_regex}\.wiki\.git/.freeze end def full_namespace_path_regex @@ -250,10 +254,6 @@ module Gitlab %r{\A(#{personal_snippet_repository_path_regex}|#{project_snippet_repository_path_regex})\z} end - def personal_and_project_snippets_path_regex - %r{#{personal_snippet_path_regex}|#{project_snippet_path_regex}} - end - def container_image_regex @container_image_regex ||= %r{([\w\.-]+\/){0,1}[\w\.-]+}.freeze end diff --git a/lib/gitlab/repo_path.rb b/lib/gitlab/repo_path.rb index 9ee6f67e455..79cf081b9dc 100644 --- a/lib/gitlab/repo_path.rb +++ b/lib/gitlab/repo_path.rb @@ -5,7 +5,7 @@ module Gitlab NotFoundError = Class.new(StandardError) def self.parse(path) - repo_path = path.sub(/\.git\z/, '').sub(%r{\A/}, '') + repo_path = path.delete_prefix('/').delete_suffix('.git') redirected_path = nil # Detect the repo type based on the path, the first one tried is the project diff --git a/lib/tasks/gitlab/assets.rake b/lib/tasks/gitlab/assets.rake index ab2d77eeaf0..54e74fd9c8b 100644 --- a/lib/tasks/gitlab/assets.rake +++ b/lib/tasks/gitlab/assets.rake @@ -81,7 +81,10 @@ namespace :gitlab do if head_assets_md5 != master_assets_md5 || !public_assets_webpack_dir_exists FileUtils.rm_r(Tasks::Gitlab::Assets::PUBLIC_ASSETS_WEBPACK_DIR) if public_assets_webpack_dir_exists - system('yarn webpack') + + unless system('yarn webpack') + abort 'Error: Unable to compile webpack production bundle.'.color(:red) + end end end |