9 files changed, 87 insertions, 10 deletions

diff --git a/CHANGELOG b/CHANGELOG
index ee70789babc..7a7f86bcba8 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.0.0 (unreleased)
+  - Fix HTML link that was improperly escaped in new user e-mail (Stan Hu)
   - Fix broken sort in merge request API (Stan Hu)
   - Bump rouge to 1.10.1 to remove warning noise and fix other syntax highlighting bugs (Stan Hu)
   - Gracefully handle errors in syntax highlighting by leaving the block unformatted (Stan Hu)
@@ -17,6 +18,7 @@ v 8.0.0 (unreleased)
   - Improve dropdown positioning on the project home page (Hannes Rosenögger)
   - Upgrade browser gem to 1.0.0 to avoid warning in IE11 compatibilty mode (Stan Hu)
   - Remove user OAuth tokens from the database and request new tokens each session (Stan Hu)
+  - Restrict users API endpoints to use integer IDs (Stan Hu)
   - Only show recent push event if the branch still exists or a recent merge request has not been created (Stan Hu)
   - Remove satellites
   - Better performance for web editor (switched from satellites to rugged)
diff --git a/Gemfile b/Gemfile
index 62968c57200..1903d66e6ab 100644
--- a/Gemfile
+++ b/Gemfile
@@ -286,7 +286,7 @@ gem "newrelic_rpm", '~> 3.9.4.245'
 
 gem 'octokit', '~> 3.7.0'
 
-gem "mail_room", "~> 0.4.2"
+gem "mail_room", "~> 0.5.1"
 
 gem 'email_reply_parser', '~> 0.5.8'
 
diff --git a/Gemfile.lock b/Gemfile.lock
index a4a0762bdd8..eeaddc95a8e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -384,7 +384,7 @@ GEM
       systemu (~> 2.6.2)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
-    mail_room (0.4.2)
+    mail_room (0.5.1)
     method_source (0.8.2)
     mime-types (1.25.1)
     mimemagic (0.3.0)
@@ -846,7 +846,7 @@ DEPENDENCIES
   jquery-ui-rails (~> 4.2.1)
   kaminari (~> 0.15.1)
   letter_opener (~> 1.1.2)
-  mail_room (~> 0.4.2)
+  mail_room (~> 0.5.1)
   minitest (~> 5.7.0)
   mousetrap-rails (~> 1.4.6)
   mysql2 (~> 0.3.16)
diff --git a/app/views/ci/projects/_public.html.haml b/app/views/ci/projects/_public.html.haml
index c2157ab741a..bcbd60b83f0 100644
--- a/app/views/ci/projects/_public.html.haml
+++ b/app/views/ci/projects/_public.html.haml
@@ -2,11 +2,6 @@
   %h3.project-title
     Public projects
 
-.bs-callout
-  = link_to new_ci_user_sessions_path(state: generate_oauth_state(request.fullpath)) do
-    %strong Login with GitLab
-  to see your private projects
-
 - if @projects.present?
   .projects
     %table.table
diff --git a/app/views/notify/new_user_email.html.haml b/app/views/notify/new_user_email.html.haml
index 4feacdaacff..6b9b42dcf37 100644
--- a/app/views/notify/new_user_email.html.haml
+++ b/app/views/notify/new_user_email.html.haml
@@ -13,4 +13,4 @@
   %p
     = link_to "Click here to set your password", edit_password_url(@user, reset_password_token: @token)
   %p
-    = reset_token_expire_message
+    = raw reset_token_expire_message
diff --git a/doc/migrate_ci_to_ce/README.md b/doc/migrate_ci_to_ce/README.md
index e12ea9a9ad7..13efc8442d2 100644
--- a/doc/migrate_ci_to_ce/README.md
+++ b/doc/migrate_ci_to_ce/README.md
@@ -222,6 +222,18 @@ You need to edit `/etc/nginx/sites-available/gitlab_ci` and paste:
         resolver 8.8.8.8 8.8.4.4;
         proxy_pass $scheme://YOUR_GITLAB_SERVER_FQDN/ci$request_uri;
       }
+      
+      # expose build endpoint to allow trigger builds
+      location ~ ^/projects/\d+/build$ {
+        proxy_read_timeout    300;
+        proxy_connect_timeout 300;
+        proxy_redirect        off;
+        proxy_set_header      X-Real-IP $remote_addr;
+    
+        # You need to specify your DNS servers that are able to resolve YOUR_GITLAB_SERVER_FQDN
+        resolver 8.8.8.8 8.8.4.4;
+        proxy_pass $scheme://YOUR_GITLAB_SERVER_FQDN/ci$request_uri;
+      }
     
       # redirect all other CI requests
       location / {
diff --git a/lib/api/users.rb b/lib/api/users.rb
index ee29f952246..813cc379e43 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -3,7 +3,7 @@ module API
   class Users < Grape::API
     before { authenticate! }
 
-    resource :users do
+    resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do
       # Get a users list
       #
       # Example Request:
diff --git a/lib/support/nginx/gitlab_ci b/lib/support/nginx/gitlab_ci
index bf05edfd780..ce179d6f599 100644
--- a/lib/support/nginx/gitlab_ci
+++ b/lib/support/nginx/gitlab_ci
@@ -18,6 +18,18 @@ server {
     proxy_pass $scheme://YOUR_GITLAB_SERVER_FQDN/ci$request_uri;
   }
 
+  # expose build endpoint to allow trigger builds
+  location ~ ^/projects/\d+/build$ {
+    proxy_read_timeout    300;
+    proxy_connect_timeout 300;
+    proxy_redirect        off;
+    proxy_set_header      X-Real-IP $remote_addr;
+
+    # You need to specify your DNS servers that are able to resolve YOUR_GITLAB_SERVER_FQDN
+    resolver 8.8.8.8 8.8.4.4;
+    proxy_pass $scheme://YOUR_GITLAB_SERVER_FQDN/ci$request_uri;
+  }
+
   # redirect all other CI requests
   location / {
     return 301 $scheme://YOUR_GITLAB_SERVER_FQDN/ci$request_uri;
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index f2aa369985e..f9bc63680ba 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -58,6 +58,11 @@ describe API::API, api: true  do
       expect(response.status).to eq(404)
       expect(json_response['message']).to eq('404 Not found')
     end
+
+    it "should return a 404 if invalid ID" do
+      get api("/users/1ASDF", user)
+      expect(response.status).to eq(404)
+    end
   end
 
   describe "POST /users" do
@@ -257,6 +262,10 @@ describe API::API, api: true  do
       expect(json_response['message']).to eq('404 Not found')
     end
 
+    it "should raise error for invalid ID" do
+      expect{put api("/users/ASDF", admin) }.to raise_error(ActionController::RoutingError)
+    end
+
     it 'should return 400 error if user does not validate' do
       put api("/users/#{user.id}", admin),
         password: 'pass',
@@ -319,6 +328,10 @@ describe API::API, api: true  do
         post api("/users/#{user.id}/keys", admin), key_attrs
       end.to change{ user.keys.count }.by(1)
     end
+
+    it "should raise error for invalid ID" do
+      expect{post api("/users/ASDF/keys", admin) }.to raise_error(ActionController::RoutingError)
+    end
   end
 
   describe 'GET /user/:uid/keys' do
@@ -346,6 +359,11 @@ describe API::API, api: true  do
         expect(json_response).to be_an Array
         expect(json_response.first['title']).to eq(key.title)
       end
+
+      it "should return 404 for invalid ID" do
+        get api("/users/ASDF/keys", admin)
+        expect(response.status).to eq(404)
+      end
     end
   end
 
@@ -400,6 +418,10 @@ describe API::API, api: true  do
         post api("/users/#{user.id}/emails", admin), email_attrs
       end.to change{ user.emails.count }.by(1)
     end
+
+    it "should raise error for invalid ID" do
+      expect{post api("/users/ASDF/emails", admin) }.to raise_error(ActionController::RoutingError)
+    end
   end
 
   describe 'GET /user/:uid/emails' do
@@ -427,6 +449,10 @@ describe API::API, api: true  do
         expect(json_response).to be_an Array
         expect(json_response.first['email']).to eq(email.email)
       end
+
+      it "should raise error for invalid ID" do
+        expect{put api("/users/ASDF/emails", admin) }.to raise_error(ActionController::RoutingError)
+      end
     end
   end
 
@@ -463,6 +489,10 @@ describe API::API, api: true  do
         expect(response.status).to eq(404)
         expect(json_response['message']).to eq('404 Email Not Found')
       end
+
+      it "should raise error for invalid ID" do
+        expect{delete api("/users/ASDF/emails/bar", admin) }.to raise_error(ActionController::RoutingError)
+      end
     end
   end
 
@@ -491,6 +521,10 @@ describe API::API, api: true  do
       expect(response.status).to eq(404)
       expect(json_response['message']).to eq('404 User Not Found')
     end
+
+    it "should raise error for invalid ID" do
+      expect{delete api("/users/ASDF", admin) }.to raise_error(ActionController::RoutingError)
+    end
   end
 
   describe "GET /user" do
@@ -553,6 +587,11 @@ describe API::API, api: true  do
       expect(response.status).to eq(404)
       expect(json_response['message']).to eq('404 Not found')
     end
+
+    it "should return 404 for invalid ID" do
+      get api("/users/keys/ASDF", admin)
+      expect(response.status).to eq(404)
+    end
   end
 
   describe "POST /user/keys" do
@@ -608,6 +647,10 @@ describe API::API, api: true  do
       delete api("/user/keys/#{key.id}")
       expect(response.status).to eq(401)
     end
+
+    it "should raise error for invalid ID" do
+      expect{delete api("/users/keys/ASDF", admin) }.to raise_error(ActionController::RoutingError)
+    end
   end
 
   describe "GET /user/emails" do
@@ -653,6 +696,11 @@ describe API::API, api: true  do
       expect(response.status).to eq(404)
       expect(json_response['message']).to eq('404 Not found')
     end
+
+    it "should return 404 for invalid ID" do
+      get api("/users/emails/ASDF", admin)
+      expect(response.status).to eq(404)
+    end
   end
 
   describe "POST /user/emails" do
@@ -697,6 +745,10 @@ describe API::API, api: true  do
       delete api("/user/emails/#{email.id}")
       expect(response.status).to eq(401)
     end
+
+    it "should raise error for invalid ID" do
+      expect{delete api("/users/emails/ASDF", admin) }.to raise_error(ActionController::RoutingError)
+    end
   end
 
   describe 'PUT /user/:id/block' do
@@ -748,5 +800,9 @@ describe API::API, api: true  do
       expect(response.status).to eq(404)
       expect(json_response['message']).to eq('404 User Not Found')
     end
+
+    it "should raise error for invalid ID" do
+      expect{put api("/users/ASDF/block", admin) }.to raise_error(ActionController::RoutingError)
+    end
   end
 end