diff options
16 files changed, 97 insertions, 20 deletions
diff --git a/app/helpers/external_link_helper.rb b/app/helpers/external_link_helper.rb new file mode 100644 index 00000000000..9dbad1f5032 --- /dev/null +++ b/app/helpers/external_link_helper.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module ExternalLinkHelper + def external_link(body, url, options = {}) + link_to url, { target: '_blank', rel: 'noopener noreferrer' }.merge(options) do + "#{body} #{icon('external-link')}".html_safe + end + end +end diff --git a/app/models/concerns/routable.rb b/app/models/concerns/routable.rb index 07d22641a0a..8b011bca72c 100644 --- a/app/models/concerns/routable.rb +++ b/app/models/concerns/routable.rb @@ -33,7 +33,7 @@ module Routable # # Returns a single object, or nil. def find_by_full_path(path, follow_redirects: false) - increment_counter(:routable_find_by_full_path, 'Number of calls to Routable.find_by_full_path') + routable_calls_counter.increment(method: 'find_by_full_path') if Feature.enabled?(:routable_two_step_lookup) # Case sensitive match first (it's cheaper and the usual case) @@ -61,7 +61,7 @@ module Routable def where_full_path_in(paths) return none if paths.empty? - increment_counter(:routable_where_full_path_in, 'Number of calls to Routable.where_full_path_in') + routable_calls_counter.increment(method: 'where_full_path_in') wheres = paths.map do |path| "(LOWER(routes.path) = LOWER(#{connection.quote(path)}))" @@ -71,12 +71,8 @@ module Routable end # Temporary instrumentation of method calls - def increment_counter(counter, description) - @counters[counter] ||= Gitlab::Metrics.counter(counter, description) - - @counters[counter].increment - rescue - # ignore the error + def routable_calls_counter + @routable_calls_counter ||= Gitlab::Metrics.counter(:gitlab_routable_calls_total, 'Number of calls to Routable by method') end end diff --git a/app/validators/addressable_url_validator.rb b/app/validators/addressable_url_validator.rb index bb445499cee..f292730441c 100644 --- a/app/validators/addressable_url_validator.rb +++ b/app/validators/addressable_url_validator.rb @@ -42,6 +42,11 @@ class AddressableUrlValidator < ActiveModel::EachValidator attr_reader :record + # By default, we avoid checking the dns rebinding protection + # when saving/updating a record. Sometimes, the url + # is not resolvable at that point, and some automated + # tasks that uses that url won't work. + # See https://gitlab.com/gitlab-org/gitlab-ce/issues/66723 BLOCKER_VALIDATE_OPTIONS = { schemes: %w(http https), ports: [], @@ -49,7 +54,8 @@ class AddressableUrlValidator < ActiveModel::EachValidator allow_local_network: true, ascii_only: false, enforce_user: false, - enforce_sanitization: false + enforce_sanitization: false, + dns_rebind_protection: false }.freeze DEFAULT_OPTIONS = BLOCKER_VALIDATE_OPTIONS.merge({ diff --git a/app/views/projects/pages/_access.html.haml b/app/views/projects/pages/_access.html.haml index 539f223ca9b..7b6d46964a2 100644 --- a/app/views/projects/pages/_access.html.haml +++ b/app/views/projects/pages/_access.html.haml @@ -7,9 +7,11 @@ %strong = _("Your pages are served under:") - %p= link_to @project.pages_url, @project.pages_url + %p + = external_link(@project.pages_url, @project.pages_url) - @project.pages_domains.each do |domain| - %p= link_to domain.url, domain.url + %p + = external_link(domain.url, domain.url) .card-footer.alert-primary = _("It may take up to 30 minutes before the site is available after the first deployment.") diff --git a/app/views/projects/pages/_list.html.haml b/app/views/projects/pages/_list.html.haml index 2427b4d7611..c4285e7f3d2 100644 --- a/app/views/projects/pages/_list.html.haml +++ b/app/views/projects/pages/_list.html.haml @@ -12,9 +12,7 @@ .domain-status.ci-status-icon.has-tooltip{ class: "ci-status-icon-#{status}", title: tooltip } = sprite_icon("status_#{status}", size: 16 ) .domain-name - = link_to domain.url do - = domain.url - = icon('external-link') + = external_link(domain.url, domain.url) - if domain.subject %div %span.badge.badge-gray Certificate: #{domain.subject} diff --git a/app/views/projects/pages_domains/show.html.haml b/app/views/projects/pages_domains/show.html.haml index d0b54946f7e..33837e21c8d 100644 --- a/app/views/projects/pages_domains/show.html.haml +++ b/app/views/projects/pages_domains/show.html.haml @@ -21,9 +21,7 @@ %td = _("Domain") %td - = link_to @domain.url do - = @domain.url - = icon('external-link') + = external_link(@domain.url, @domain.url) %tr %td = _("DNS") diff --git a/changelogs/unreleased/66067-pages-domain-doesnt-set-target-blank.yml b/changelogs/unreleased/66067-pages-domain-doesnt-set-target-blank.yml new file mode 100644 index 00000000000..726d4b163d2 --- /dev/null +++ b/changelogs/unreleased/66067-pages-domain-doesnt-set-target-blank.yml @@ -0,0 +1,5 @@ +--- +title: Makes custom Pages domain open as external link in new tab +merge_request: 32130 +author: jakeburden +type: fixed diff --git a/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml b/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml new file mode 100644 index 00000000000..9c74f8d69c7 --- /dev/null +++ b/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml @@ -0,0 +1,5 @@ +--- +title: Avoid checking dns rebind protection when validating +merge_request: 32577 +author: +type: fixed diff --git a/doc/user/application_security/security_dashboard/img/group_security_dashboard_v12_3.png b/doc/user/application_security/security_dashboard/img/group_security_dashboard_v12_3.png Binary files differindex 61f683c1335..1fe76a9e08f 100644..100755 --- a/doc/user/application_security/security_dashboard/img/group_security_dashboard_v12_3.png +++ b/doc/user/application_security/security_dashboard/img/group_security_dashboard_v12_3.png diff --git a/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v12_3.png b/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v12_3.png Binary files differindex 0b2dfecd9e7..09979ba99b3 100644..100755 --- a/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v12_3.png +++ b/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v12_3.png diff --git a/doc/user/application_security/security_dashboard/img/project_security_dashboard.png b/doc/user/application_security/security_dashboard/img/project_security_dashboard.png Binary files differdeleted file mode 100644 index baa136fd885..00000000000 --- a/doc/user/application_security/security_dashboard/img/project_security_dashboard.png +++ /dev/null diff --git a/doc/user/application_security/security_dashboard/img/project_security_dashboard_v12_3.png b/doc/user/application_security/security_dashboard/img/project_security_dashboard_v12_3.png Binary files differnew file mode 100755 index 00000000000..51e80bdb50d --- /dev/null +++ b/doc/user/application_security/security_dashboard/img/project_security_dashboard_v12_3.png diff --git a/doc/user/application_security/security_dashboard/index.md b/doc/user/application_security/security_dashboard/index.md index a98ca1fb338..ac539509e22 100644 --- a/doc/user/application_security/security_dashboard/index.md +++ b/doc/user/application_security/security_dashboard/index.md @@ -52,7 +52,7 @@ At the project level, the Security Dashboard displays the latest security report for your project. Use it to find and fix vulnerabilities affecting the [default branch](../../project/repository/branches/index.md#default-branch). - + ## Group Security Dashboard @@ -71,12 +71,15 @@ Once you're on the dashboard, at the top you should see a series of filters for: - Report type - Project +To the right of the filters, you should see a **Hide dismissed** toggle button. + NOTE: **Note:** The dashboard only shows projects with [security reports](#supported-reports) enabled in a group.  -Selecting one or more filters will filter the results in this page. +Selecting one or more filters will filter the results in this page. Disabling the **Hide dismissed** +toggle button will let you also see vulnerabilities that have been dismissed. The main section is a list of all the vulnerabilities in the group, sorted by severity. In that list, you can see the severity of the vulnerability, its name, its diff --git a/lib/gitlab/danger/helper.rb b/lib/gitlab/danger/helper.rb index 5424298723e..d30d5a38670 100644 --- a/lib/gitlab/danger/helper.rb +++ b/lib/gitlab/danger/helper.rb @@ -110,7 +110,8 @@ module Gitlab karma\.config\.js | webpack\.config\.js | package\.json | - yarn\.lock + yarn\.lock | + \.gitlab/ci/frontend\.gitlab-ci\.yml )\z}x => :frontend, %r{\A(ee/)?db/(?!fixtures)[^/]+} => :database, diff --git a/spec/helpers/external_link_helper_spec.rb b/spec/helpers/external_link_helper_spec.rb new file mode 100644 index 00000000000..7fc4ef18731 --- /dev/null +++ b/spec/helpers/external_link_helper_spec.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe ExternalLinkHelper do + include IconsHelper + + it 'returns external link with icon' do + expect(external_link('https://gitlab.com', 'https://gitlab.com').to_s) + .to eq('<a target="_blank" rel="noopener noreferrer" href="https://gitlab.com">https://gitlab.com <i aria-hidden="true" data-hidden="true" class="fa fa-external-link"></i></a>') + end + + it 'allows options when creating external link with icon' do + expect(external_link('https://gitlab.com', 'https://gitlab.com', { "data-foo": "bar", class: "externalLink" }).to_s) + .to eq('<a target="_blank" rel="noopener noreferrer" data-foo="bar" class="externalLink" href="https://gitlab.com">https://gitlab.com <i aria-hidden="true" data-hidden="true" class="fa fa-external-link"></i></a>') + end +end diff --git a/spec/validators/addressable_url_validator_spec.rb b/spec/validators/addressable_url_validator_spec.rb index 387e84b2d04..6927a1f67a1 100644 --- a/spec/validators/addressable_url_validator_spec.rb +++ b/spec/validators/addressable_url_validator_spec.rb @@ -92,6 +92,15 @@ describe AddressableUrlValidator do expect(badge.errors).to be_empty expect(badge.link_url).to eq('https://127.0.0.1') end + + it 'allows urls that cannot be resolved' do + stub_env('RSPEC_ALLOW_INVALID_URLS', 'false') + badge.link_url = 'http://foobar.x' + + subject + + expect(badge.errors).to be_empty + end end context 'when message is set' do @@ -312,4 +321,32 @@ describe AddressableUrlValidator do end end end + + context 'when dns_rebind_protection is' do + let(:not_resolvable_url) { 'http://foobar.x' } + let(:validator) { described_class.new(attributes: [:link_url], dns_rebind_protection: dns_value) } + + before do + stub_env('RSPEC_ALLOW_INVALID_URLS', 'false') + badge.link_url = not_resolvable_url + + subject + end + + context 'true' do + let(:dns_value) { true } + + it 'raises error' do + expect(badge.errors).to be_present + end + end + + context 'false' do + let(:dns_value) { false } + + it 'allows urls that cannot be resolved' do + expect(badge.errors).to be_empty + end + end + end end |
