diff options
| -rw-r--r-- | app/controllers/projects/raw_controller.rb | 2 | ||||
| -rw-r--r-- | app/controllers/projects/repositories_controller.rb | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml | 5 | ||||
| -rw-r--r-- | changelogs/unreleased/security-nuget-regex-update-redos.yml | 5 | ||||
| -rw-r--r-- | lib/api/concerns/packages/nuget_endpoints.rb | 2 | ||||
| -rw-r--r-- | spec/controllers/projects/raw_controller_spec.rb | 12 | ||||
| -rw-r--r-- | spec/controllers/projects/repositories_controller_spec.rb | 12 | ||||
| -rw-r--r--[-rwxr-xr-x] | vendor/gitignore/C++.gitignore | 0 | ||||
| -rw-r--r--[-rwxr-xr-x] | vendor/gitignore/Java.gitignore | 0 |
9 files changed, 37 insertions, 3 deletions
diff --git a/app/controllers/projects/raw_controller.rb b/app/controllers/projects/raw_controller.rb index 8be7af3e2c5..3fff93abe5c 100644 --- a/app/controllers/projects/raw_controller.rb +++ b/app/controllers/projects/raw_controller.rb @@ -21,7 +21,7 @@ class Projects::RawController < Projects::ApplicationController def show @blob = @repository.blob_at(@ref, @path) - send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: @project.public?) + send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: Guest.can?(:download_code, @project)) end private diff --git a/app/controllers/projects/repositories_controller.rb b/app/controllers/projects/repositories_controller.rb index fb6a09cff65..da018b24836 100644 --- a/app/controllers/projects/repositories_controller.rb +++ b/app/controllers/projects/repositories_controller.rb @@ -53,7 +53,7 @@ class Projects::RepositoriesController < Projects::ApplicationController end def set_cache_headers - expires_in cache_max_age(archive_metadata['CommitId']), public: project.public? + expires_in cache_max_age(archive_metadata['CommitId']), public: Guest.can?(:download_code, project) fresh_when(etag: archive_metadata['ArchivePath']) end diff --git a/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml b/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml new file mode 100644 index 00000000000..20cd1659565 --- /dev/null +++ b/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml @@ -0,0 +1,5 @@ +--- +title: Forbid public cache for private repos +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-nuget-regex-update-redos.yml b/changelogs/unreleased/security-nuget-regex-update-redos.yml new file mode 100644 index 00000000000..5182097b8b1 --- /dev/null +++ b/changelogs/unreleased/security-nuget-regex-update-redos.yml @@ -0,0 +1,5 @@ +--- +title: Update NuGet regular expression to protect against ReDoS +merge_request: +author: +type: security diff --git a/lib/api/concerns/packages/nuget_endpoints.rb b/lib/api/concerns/packages/nuget_endpoints.rb index 5177c4d23c0..1a03a6a6dad 100644 --- a/lib/api/concerns/packages/nuget_endpoints.rb +++ b/lib/api/concerns/packages/nuget_endpoints.rb @@ -15,7 +15,7 @@ module API extend ActiveSupport::Concern POSITIVE_INTEGER_REGEX = %r{\A[1-9]\d*\z}.freeze - NON_NEGATIVE_INTEGER_REGEX = %r{\A0|[1-9]\d*\z}.freeze + NON_NEGATIVE_INTEGER_REGEX = %r{\A(0|[1-9]\d*)\z}.freeze included do helpers do diff --git a/spec/controllers/projects/raw_controller_spec.rb b/spec/controllers/projects/raw_controller_spec.rb index dfe7ba34e6d..b1c3c1c0276 100644 --- a/spec/controllers/projects/raw_controller_spec.rb +++ b/spec/controllers/projects/raw_controller_spec.rb @@ -250,6 +250,18 @@ RSpec.describe Projects::RawController do expect(response.cache_control[:no_store]).to be_nil end + context 'when a public project has private repo' do + let(:project) { create(:project, :public, :repository, :repository_private) } + let(:user) { create(:user, maintainer_projects: [project]) } + + it 'does not set public caching header' do + sign_in user + request_file + + expect(response.header['Cache-Control']).to include('max-age=60, private') + end + end + context 'when If-None-Match header is set' do it 'returns a 304 status' do request_file diff --git a/spec/controllers/projects/repositories_controller_spec.rb b/spec/controllers/projects/repositories_controller_spec.rb index e7f4a8a1422..e6327a72a68 100644 --- a/spec/controllers/projects/repositories_controller_spec.rb +++ b/spec/controllers/projects/repositories_controller_spec.rb @@ -137,6 +137,18 @@ RSpec.describe Projects::RepositoriesController do expect(response.header['ETag']).to be_present expect(response.header['Cache-Control']).to include('max-age=60, public') end + + context 'and repo is private' do + let(:project) { create(:project, :repository, :public, :repository_private) } + + it 'sets appropriate caching headers' do + get_archive + + expect(response).to have_gitlab_http_status(:ok) + expect(response.header['ETag']).to be_present + expect(response.header['Cache-Control']).to include('max-age=60, private') + end + end end context 'when ref is a commit SHA' do diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore index 259148fa18f..259148fa18f 100755..100644 --- a/vendor/gitignore/C++.gitignore +++ b/vendor/gitignore/C++.gitignore diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore index a1c2a238a96..a1c2a238a96 100755..100644 --- a/vendor/gitignore/Java.gitignore +++ b/vendor/gitignore/Java.gitignore |