diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:21:38 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:21:38 +0000 |
commit | 11e9b7b58837da351f08c18e6f0f4faba4d7d301 (patch) | |
tree | d9b28159a53c3814c8a2e6b33a5f01557b757439 /lib | |
parent | 2b0b97e746e327c6168505df7740e667b690a27f (diff) | |
download | gitlab-ce-11e9b7b58837da351f08c18e6f0f4faba4d7d301.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-1-stable-ee
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/import_github.rb | 4 | ||||
-rw-r--r-- | lib/api/time_tracking_endpoints.rb | 12 | ||||
-rw-r--r-- | lib/banzai/filter/abstract_reference_filter.rb | 2 | ||||
-rw-r--r-- | lib/banzai/filter/base_relative_link_filter.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/markdown_cache.rb | 2 |
5 files changed, 13 insertions, 9 deletions
diff --git a/lib/api/import_github.rb b/lib/api/import_github.rb index 21d4928193e..f31cc15dc62 100644 --- a/lib/api/import_github.rb +++ b/lib/api/import_github.rb @@ -4,6 +4,10 @@ module API class ImportGithub < Grape::API rescue_from Octokit::Unauthorized, with: :provider_unauthorized + before do + forbidden! unless Gitlab::CurrentSettings.import_sources&.include?('github') + end + helpers do def client @client ||= Gitlab::LegacyGithubImport::Client.new(params[:personal_access_token], client_options) diff --git a/lib/api/time_tracking_endpoints.rb b/lib/api/time_tracking_endpoints.rb index 93fe06bec27..da234fb5277 100644 --- a/lib/api/time_tracking_endpoints.rb +++ b/lib/api/time_tracking_endpoints.rb @@ -14,8 +14,8 @@ module API "#{issuable_name}_iid".to_sym end - def update_issuable_key - "update_#{issuable_name}".to_sym + def admin_issuable_key + "admin_#{issuable_name}".to_sym end def read_issuable_key @@ -60,7 +60,7 @@ module API requires :duration, type: String, desc: 'The duration to be parsed' end post ":id/#{issuable_collection_name}/:#{issuable_key}/time_estimate" do - authorize! update_issuable_key, load_issuable + authorize! admin_issuable_key, load_issuable status :ok update_issuable(time_estimate: Gitlab::TimeTrackingFormatter.parse(params.delete(:duration))) @@ -71,7 +71,7 @@ module API requires issuable_key, type: Integer, desc: "The ID of a project #{issuable_name}" end post ":id/#{issuable_collection_name}/:#{issuable_key}/reset_time_estimate" do - authorize! update_issuable_key, load_issuable + authorize! admin_issuable_key, load_issuable status :ok update_issuable(time_estimate: 0) @@ -83,7 +83,7 @@ module API requires :duration, type: String, desc: 'The duration to be parsed' end post ":id/#{issuable_collection_name}/:#{issuable_key}/add_spent_time" do - authorize! update_issuable_key, load_issuable + authorize! admin_issuable_key, load_issuable update_issuable(spend_time: { duration: Gitlab::TimeTrackingFormatter.parse(params.delete(:duration)), @@ -96,7 +96,7 @@ module API requires issuable_key, type: Integer, desc: "The ID of a project #{issuable_name}" end post ":id/#{issuable_collection_name}/:#{issuable_key}/reset_spent_time" do - authorize! update_issuable_key, load_issuable + authorize! admin_issuable_key, load_issuable status :ok update_issuable(spend_time: { duration: :reset, user_id: current_user.id }) diff --git a/lib/banzai/filter/abstract_reference_filter.rb b/lib/banzai/filter/abstract_reference_filter.rb index 5962403d488..f142333d797 100644 --- a/lib/banzai/filter/abstract_reference_filter.rb +++ b/lib/banzai/filter/abstract_reference_filter.rb @@ -253,7 +253,7 @@ module Banzai object_parent_type = parent.is_a?(Group) ? :group : :project { - original: text, + original: escape_html_entities(text), link: link_content, link_reference: link_reference, object_parent_type => parent.id, diff --git a/lib/banzai/filter/base_relative_link_filter.rb b/lib/banzai/filter/base_relative_link_filter.rb index eca105ce9d9..fd526df4c48 100644 --- a/lib/banzai/filter/base_relative_link_filter.rb +++ b/lib/banzai/filter/base_relative_link_filter.rb @@ -38,7 +38,7 @@ module Banzai private def unescape_and_scrub_uri(uri) - Addressable::URI.unescape(uri).scrub + Addressable::URI.unescape(uri).scrub.delete("\0") end end end diff --git a/lib/gitlab/markdown_cache.rb b/lib/gitlab/markdown_cache.rb index 489fc6fddac..21797bf988d 100644 --- a/lib/gitlab/markdown_cache.rb +++ b/lib/gitlab/markdown_cache.rb @@ -3,7 +3,7 @@ module Gitlab module MarkdownCache # Increment this number every time the renderer changes its output - CACHE_COMMONMARK_VERSION = 21 + CACHE_COMMONMARK_VERSION = 23 CACHE_COMMONMARK_VERSION_START = 10 BaseError = Class.new(StandardError) |