diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-04-29 08:18:56 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-04-29 08:19:12 +0000 |
commit | 7b1c7e980459210bea3f967cbc6b1c797c1ff658 (patch) | |
tree | 74f3c3392bf8e887a73bb570d27419bfc65c0093 /lib | |
parent | deb2f3a60831afda2ad7ec144eb58aaf269abe58 (diff) | |
download | gitlab-ce-7b1c7e980459210bea3f967cbc6b1c797c1ff658.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/ci/pipeline/chain/helpers.rb | 11 | ||||
-rw-r--r-- | lib/gitlab/ci/pipeline/chain/validate/abilities.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/git_access_wiki.rb | 14 |
3 files changed, 21 insertions, 6 deletions
diff --git a/lib/gitlab/ci/pipeline/chain/helpers.rb b/lib/gitlab/ci/pipeline/chain/helpers.rb index 09158bf8bfd..343a189f773 100644 --- a/lib/gitlab/ci/pipeline/chain/helpers.rb +++ b/lib/gitlab/ci/pipeline/chain/helpers.rb @@ -6,25 +6,28 @@ module Gitlab module Chain module Helpers def error(message, config_error: false, drop_reason: nil) + sanitized_message = ActionController::Base.helpers.sanitize(message, tags: []) + if config_error drop_reason = :config_error - pipeline.yaml_errors = message + pipeline.yaml_errors = sanitized_message end - pipeline.add_error_message(message) + pipeline.add_error_message(sanitized_message) drop_pipeline!(drop_reason) # TODO: consider not to rely on AR errors directly as they can be # polluted with other unrelated errors (e.g. state machine) # https://gitlab.com/gitlab-org/gitlab/-/issues/220823 - pipeline.errors.add(:base, message) + pipeline.errors.add(:base, sanitized_message) pipeline.errors.full_messages end def warning(message) - pipeline.add_warning_message(message) + sanitized_message = ActionController::Base.helpers.sanitize(message, tags: []) + pipeline.add_warning_message(sanitized_message) end private diff --git a/lib/gitlab/ci/pipeline/chain/validate/abilities.rb b/lib/gitlab/ci/pipeline/chain/validate/abilities.rb index 1c1f7abb6f6..035167f1a74 100644 --- a/lib/gitlab/ci/pipeline/chain/validate/abilities.rb +++ b/lib/gitlab/ci/pipeline/chain/validate/abilities.rb @@ -23,7 +23,7 @@ module Gitlab end unless allowed_to_write_ref? - error("You do not have sufficient permission to run a pipeline on '#{command.ref}'. Please select a different branch or contact your administrator for assistance. <a href=https://docs.gitlab.com/ee/ci/pipelines/#pipeline-security-on-protected-branches>Learn more</a>".html_safe) + error("You do not have sufficient permission to run a pipeline on '#{command.ref}'. Please select a different branch or contact your administrator for assistance.") end end diff --git a/lib/gitlab/git_access_wiki.rb b/lib/gitlab/git_access_wiki.rb index f8f61511265..fdd7e8a8c4a 100644 --- a/lib/gitlab/git_access_wiki.rb +++ b/lib/gitlab/git_access_wiki.rb @@ -31,7 +31,8 @@ module Gitlab def check_download_access! super - raise ForbiddenError, download_forbidden_message if deploy_token && !deploy_token.can?(:download_wiki_code, container) + raise ForbiddenError, download_forbidden_message if build_cannot_download? + raise ForbiddenError, download_forbidden_message if deploy_token_cannot_download? end override :check_change_access! @@ -52,6 +53,17 @@ module Gitlab def not_found_message error_message(:not_found) end + + private + + # when accessing via the CI_JOB_TOKEN + def build_cannot_download? + build_can_download_code? && !user_access.can_do_action?(download_ability) + end + + def deploy_token_cannot_download? + deploy_token && !deploy_token.can?(download_ability, container) + end end end |